T71 Operational Maturity Using RIIOT

The RIIOT Method – comprises five different approaches to data gathering and can be applied to the administrative, physical and technical areas and is a core underlying principle of any assessment activity.

Review Documents

Review documents for clarity
Review documents for content
Completeness
Correctness and Consistency
Record gaps

Interview Key Personnel. Examine for:

Cynicism or suspicion on the part of the interviewee
Use of unfamiliar terms and jargon (on the part of both parties)
Difficulty in correctly recording the information

Impact Security Controls.

Observe Personnel Behavior

Test Security Controls

The collection and analyais of this information then contributes to an ISO27001/2 and ITILv3 assessment mapping. ITIL v3:

Maturity Level	Importance of IT and Information	Typical for Security	Type of Organizations
Informal / ad hoc (Technology driven)	IT and use of information sources is of limited importance	Backup and Incident Management	Small and medium enterprises; not depending on IT; small shops
Controlled	Highly standard IT use and services	Baseline set of controls or control objectives. Adhere to external/industry standards	Service providers with standardized services for a wide range of organizations or consumers (housing of hosting). Organizations with standard use of IT and not high security demands for information.
Service Oriented	Reliability of specific services (email or Internet) as a discriminator	Service-specific risk analyses. Provider focused information risk management. KPIs (KRIs) focus on service-security and SLAs.	Service providers with common services for wide and common use (Email, Internet use, payroll provisioning, HR management). Clients of these standardized services, often seen as supporting facilities
Customer Oriented	Crucial and specific for each customer	Information Risk Management takes the customer’s risks into account. Common risk and security processes between the service provider and customer.	Service providers for a specific type of customer, (banks or government). Internet Service Providers; Cloud Service Providers.
Market Oriented	Information and IT risks are of vital impact for the core business.	Information Risk Management is focused on the market and / or customer groups in the market. The aim is to offer confidence in the market. Compliance is based upon external rules and regulations. Oversight is organized in the market.	Organizations of systematic importance for the market – for example dominant players in the IT-provisioning of individual organizations whose trustworthy-ness affects the whole market and surrounding aspects of that market.

Call today 1-888-687-8450 or email us at info@treadstone71.com

ISO17799, OCTAVE, CISSP, CISM, Sarbanes Oxley, SOX, CobiT, 27001, ISMS, ISO-27001, ISO 27001, ISO27001, 27005, 27002, GRC, prevention, 17799, proactive, FISMA, defense in depth, arabic, jihadi, cyber jihad, cyber terrorism, holistic security, 201 CMR 17, governance, risk, compliance, Jeff Bardin, Wireless Security, CMM, ITIL, ITSM, Sarbanes Oxley, security awareness, risk, threat, threat matrix, security metrics, ISO1779 training, 21 CFR 11, NSA IAM, BITS, risk management, security in the sdlc, secsdlc, security program, security strategy, business impact analysis, Treadstone 71, bourne, CISM, penetration testing, risk, GRC, detective controls, preventative controls, HIPAA, GLBA, Graham-Leach-Bliley, SAS 70, intrusion detection, interim CISO, interim CIRO, CIRO, CISO, chief security, FFIEC, financial services, trust, continuity, risk assessment, maturity, vulnerability scans, data classification, assessments, disaster recovery, homeland security, security metrics, rosi, roi, training, security posture, threat vulnerability pairs, vulnerability management, security services, information security, risk management, business risk, controls, holistic security, defense in depth, Governance, Risk and Compliance, information risk management