Skip Ribbon Commands
Skip to main content


INFOSEC Control and Maturity Assessment


One of the difficulties every organization faces is determining exactly where it stands with regard to security. An audit around a regulatory standard, such as the PCI DSS, will give a clear picture of what needs to be done to meet that regulation. Meanwhile, a penetration test shows how much work is needed for a skilled attacker to compromise your IT systems by acting on a subset of your available vulnerabilities. But where does the organization as a whole stand as far as information security? What has the greatest value to your organization and is it well protected? To answer these questions, a more business-focused view is necessary.

  • SecureState assesses Security Programs on 15 Security Domains
  • The CMMI model is leveraged for INFOSEC assessments control maturity
  • The INFOSEC serves as the centerpiece for building and managing Security Programs
  • This is coupled with the iRisk Assessment for a complete approach


Performing this assessment on an annual basis provides an organization with a clear view of the current state of its entire security program, as well as how it has changed over time. Controls are precise and carefully designed not to distract attention from running the business. The recommendations provide essential and useful information, and ultimately add value to the business.

This approach specifically reviews the design and with validation efforts addresses the effectiveness of controls and denotes missing or broken controls. Coupled with an iRisk assessment, which is used to identify and assess risks that could impact the achievement of business objectives, the organization gets a useful, holistic foundation for its security program.


SecureState has performed hundreds of assessments using the INFOSEC methodology over the last 10 years; and has continually refined the process over time. The INFOSEC methodology has been employed to assess small, private organizations of fewer than 100 employees, as well as Fortune 500 corporations with thousands of employees.

Assessments have been performed across numerous verticals including healthcare, manufacturing, financial, government, and Service Providers. Assessments are performed by assessors with a wide range of expertise, including ISO 27001 Auditors, PCI Qualified Security Assessors (QSA), Certified Information Systems Security Professionals (CISSP) and even GIAC-certified Penetration Testers (GPEN) and GIAC-certified Web Application Penetration Testers (GWAPT).

Our Approach and Methodology

Comprehensive Review

SecureState has developed an approach that is extremely effective in documenting companies’ Current State (CS) and ultimately assisting in moving them to a Desired State (DS). SecureState utilizes the INFOSEC methodology coupled with a maturity ranking to assess organization’s controls across 15 different Security Domains. These include:

  • Policies & Procedures
  • Organizational Structure
  • Governance and Compliance
  • Network Security
  • Wireless Security
  • Operating System Security
  • End User Security
  • Voice Communications
  • Incident Response
  • Business Continuity
  • Data & Asset Classification
  • Physical Security
  • Internet Presence
  • Application Security
  • Remote & Mobile Security

Integration of the CMMI Framework

Developed by the Software Engineering Institute at Carnegie Mellon University, the Capability Maturity Model Integration (CMMI) framework is used to define process maturity, with an eye on continued improvement. SecureState applies the CMMI framework to the 15 control areas of the INFOSEC to assess the maturity of an organization’s Security Program, and provide a roadmap for ongoing improvement.

Within each of the 15 control areas, between 3 and 5 representative controls have been chosen. The INFOSEC process will assess whether each control is in place, as well as evaluate the design of each control. The resultant control rating reflects how well the control should mitigate associated vulnerabilities assuming the design is perfectly followed. Obviously, controls are rarely implemented exactly as planned, or consistently kept in place. To account for this, the INFOSEC process also incorporates an effectiveness score for each control, reflecting how well the control is actually performing. Additional assessments such as penetration tests, social engineering, and process audits are necessary to evaluate the effectiveness of these controls.

Finally, an organization’s maturity level within a domain is determined by meeting ALL controls for that maturity level. A single missing control for level 3 “Defined” within the Network Security domain will leave the maturity level for that domain at level 2, “Repeatable.” This provides a clear direction for which controls an organization needs to implement in order to increase its maturity within a given domain.

CMMI Level Definitions

The CMMI has five levels that can be used to assess maturity of controls within a specific area. By mapping to the ISO 27002 control framework, an organization can understand how mature its Security Program is.

Level 5: Optimized

Continuous improvement of process performance through incremental and innovative corrective action.

Level 4: Managed

While security control area is able to be monitored and measured, management of the control area is not fully automated or scheduled.

Level 3: Defined

Security control area has been defined and documented, and communication occurs through awareness training; however, area is left to individual personnel to follow.

Level 2: Repeatable

Some processes within security control area are repeated; however, planning, performance monitoring, and awareness outside department are minimal.

Level 1: Initial / Ad Hoc

Security control area is immature, and any processes developed are in a reactive manner; planning and performance monitoring generally are non-existent.

Level 0: Non-Existent

No evidence exists that security control area is being addressed whatsoever.

What Makes Us Different

  • The INFOSEC assesses Security Program maturity, a consistent metric in the face of ever-changing threats
  • The INFOSEC uses the SEI Capability Maturity Model integration to provide granular maturity ratings based on Security Domains
  • The INFOSEC provides a clear direction for an organization to improve its maturity within each domain, by identifying key controls which should be implemented.
  • It ties together an interview-based control audit, a hands-on technical assessment and a quantitative risk assessment (iRisk) for a blueprint addressing strategic and tactical needs.
  • The INFOSEC enhance an organization’s ability to assess risk and prevent future attacks or critical incidents.
  • It improves the ability of an organization to communicate regarding compliance and security issues