Capgemini Consulting Information Security Benchmarking 2017

Strategic Cybersecurity Consul ng
Informa on
Security
Benchmarking

Increasing costs for security breaches, EU GDPR compliance
and lack of employee awareness are key challenges
Management summary – key insights
Know your Crown Jewels – % of the respondents state customer data as the most cri cal asset,
besides personal informa on and password creden als are regarded as essen al crown jewels
Informa on Security Risks – par cipants consider cyber a acks/ external a acks in general as well as
data loss/ leakage as the most prevalent risks, furthermore employee awareness and compliance are
stated as crucial
Informa on Security Drivers – The majority of par cipants consider the protec on of informa on
and compliance to regula ons as the key driver for Informa on Security, however, in this year also
enabling Digital Transforma on becomes a driving force
Increasing Security Budgets – Although currently companies on average only dedicate about % of
their IT Budget to security, % indicate an increase of their security budget in the next ﬁscal year
Lack of Employee Awareness – While most companies state board a en on and knowledge in
general as their top strengths, employee awareness is regarded as the major improvement ﬁeld
Budget Constraints Impeding Security Contribu ons – About one third of par cipants designates
budget constraints as the main obstacle which challenges informa on security contribu on. %
state that informa on security does not meet their organiza on's needs
Lack of Detec on Mechanisms – While most par cipants employ mechanisms to detect security
incidents, roughly % s ll do not have real- me detec on mechanisms in place
Lack of EU GDPR Compliance & Increasing Cloud Usage– Only % of respondents already fully
comply to EU GDPR regula ons. % of par cipants already use cloud services - with IT being the
prevailing opera on
© Capgemini Consul ng . All rights reserved.

Content
Introduc on to the Study
..... - Par cipants' Informa on
Overall Study Results
Security Maturity Assessments
About Capgemini & Questback
u
u
u
u

Extensive regulatory requirements and rising cyber threats put the success of Digital
Transforma on at risk and interfere business opera ons
Cybersecurity Challenges
New digital requirements and trends Lack of Cybersecurity know-how
Organized cybercrime with sophis cated a acks

%
%
%
%
%
%
%
Par cipants from various industry sectors par cipated in this year's Informa on Security
Benchmarking study providing detailed insights in their state of security
Par cipants' Informa on*
- , , - , , - , , - , > ,
%
%
%
% %
Company size
% %
%
%
%
%
DACH
Spain
France
Nordics
Netherlands
Other
Par cipants' industry sectors Par cipants' origin
Financial Services
Manufacturing
Energy & U li es
Consumer Products, Retail
Life Sciences and Healthcare
Logis cs and Transporta on
Other
* Number of par cipants =
Industries
All

Role of par cipants
More than % of study par cipants
hold CISO/CIO posi ons
%
%
%
%
%
%
%
CISO/ IT Security Manager
CIO
Chief Security Officer (CSO)
Chief Execu ve Officer
Chief Opera ons Officer
Chief Technology Officer
IT Business Partner
Other
In this year's Informa on Security
Benchmarking Study a wide range of
par cipants from different posi ons
par cipated and gave their opinion on
current security topics

From market leaders and hidden champions to par cipants from the public sector - Capgemini's
Informa on Security Benchmarking Study covers a wide range of industry sectors
Par cipants' Industry Sectors

Based on proven standards and methods, Capgemini's Informa on Security Benchmarking Study
evaluates all relevant informa on security areas of the par cipants' organiza ons
Informa on Security Benchmarking
Covers all relevant Informa on Security Areas
Structure of the study
Scope of the Benchmarking Study

The Maturity Level Assessment thoroughly evaluates par cipants security standards based on
current and target state
Maturity model – Design Principles
To achieve reliable results, the
study aims at an objec ve and
repeatable security Maturity
Assessment of all par cipants
Objec vity is achieved by
assessing each Informa on
Security component based on a
clearly deﬁned -level maturity
model
Both, current and target state
are assessed
n
n
n

Content
..... - Risks, Drivers & Crown Jewels
..... - Informa on Security Budget and Organiza on
..... - Strengths & Improvement Fields
..... - Informa on Security Incident Handling & Breaches
..... - Focus Topics of the Study
u
u
u
u

In , cyber a acks are considered as the major
risk for organiza ons
Informa on Security risks
Cyber a acks/ external a acks
in general
Data loss/ leakage
Employee awareness
Malware
Compliance
Ranked top risks
Industries
All
%
of all par cipants name cyber a acks/ external threats in general
as one of the Top 3 most cri cal risks

Customer data, personal informa on and password creden als are the most cri cal informa on
assets as iden ﬁed by most par cipants
Crown Jewels
of all par cipants
consider customer
data as the most
cri cal asset
= Top crown jewels
Cri cal assets at risk
Internal Threats
Suppliers and Partners
External Threats
Threat types
%
Strategic business
informa on
%
Intellectual property
%
Financial
transac ons
%
Corporate ﬁnancial data
%
Opera ons data
%
Security concepts
%
Health data
%
E-mails
%
Trading data
%
Social data
%
Dra
contracts
%
Other
%
Personal
informa on
%
Passwords creden als
%
Customer data
%
Industries
All

In contrast to last year, Informa on Security is gaining
importance as an enabler for Digital Transforma on
Protec on of informa on and data
Compliance with security requirements
imposed by authori es
Preven on of system outages/ business
process func onality
Enabler for Digital Transforma on
Safeguard for reputa on/ brand image
Support for business goals
Compliance with security requirements
imposed by clients
Protec on of physical assets
Safeguard of humans
Preven on of major crises occurred in the
past
Strengthening compe veness
Increase of eﬃciency/ cost reduc on
%
%
%
%
%
%
%
%
%
%
%
%
Drivers for Informa on Security
%
Industries
All
of all par cipants rated protec on of informa on and data as a
driver for Informa on Security

Informa on Security Budget ( / ) - Volume & Change
On average, the Informa on Security budget translates into . % of the IT budget with a strong
tendency to increase in the next years
Informa on Security budget (in €)* Informa on Security budget as percentage of IT budget
Increase/ Decrease of Informa on Security budget
Consumer
Products,
Retail
Energy &
U li es
Financial
Services
Manufacturing Life Sciences
and Healthcare
Logis cs and
Transporta on
Other
,
,
,
,
,
,
,
, ,
, ,
, ,
, ,
, ,
, ,
*logarithmic axis
. %
%
Industries
All
of all par cipants indicate an
increase of their Informa on
Security Budget in the upcoming
ﬁscal year
of IT budget are dedicated to security by
par cipants across all peer groups

Informa on Security budget ( / ) - Investment areas
Response and Recovery
(e.g. BCM, Crisis Management,
Incident Management,
Communica on)
Preven on
(e.g. Security Strategy, IT Risk
Management, Governance, Policies,
Asset Management, Awareness)
Detec on
(e.g. SIEM, Security Opera ons Center
(SOC), Intrusion Detec on Systems
(IDS), Audit)
Protec on
(e.g. Access Control, Data Security,
Firewalls, An virus, Backup)
The largest share of the budget is spent on "Protec on", however, compared to the previous year
companies spend an increased budget for "Detec on"
. %
. % . %
. %
Industries
All

Medium-sized companies have a balanced
alloca on of Full Time Equivalents (FTEs)
Medium-sized companies (≤ , Employees)
is the average number of Inhouse Informa on Security Management FTEs
is the average number of Inhouse Opera onal Technical Security FTEs
is the average number of Outsourced Informa on Security FTEs
.
.
. .
.
.
Large-sized companies (> , Employees)
Large-sized companies outsource a signiﬁcantly
larger frac on of FTEs
Industries
All

19
While par cipants state Board A en on and Knowledge in general as the top strengths, the
awareness of employees is considered as the major improvement field
Strengths and improvement fields of par cipants’ Informa on Security
Board A en on/ Awareness of
Management
Informa on Security Know-how
Informa on Security Governance
Regular Audits/ Tes ng
Employee Awareness
Employee Awareness
Involvement of Informa on Security in
Business Decisions
Risk Management
Informa on Security Governance
Iden ty and Access Management
© Capgemini Consul ng 2017. All rights reserved.
Ranked top strengths Ranked top improvement fields
Industries
All

One third of par cipants designates budget constraints as the main obstacle challenging
Informa on Security contribu on, % state that Informa on Security does not meet their needs
Strengths and improvement ﬁelds of par cipants’ Informa on Security
Budget constraints
Management and governance issues
Lack of execu ve awareness or support
Lack of skilled resources
Fragmenta on of compliance/ regula on
Lack of quality tools for managing Informa on Security
Other
%
%
%
%
%
%
%
%
%
%
% Always
In most cases
Some mes
Not at all
Security func on fully meets organiza on's needs
Main obstacles that challenge Informa on Security eﬀec veness
Es mate of Informa on Security Compe veness
. . . . . . . . .
.
= Industry average
Below the average Above the average Best of breedOn average
Industries
All

About % of par cipants have no real- me
detec on mechanisms implemented
Ability to detect malicious behavior
Trusted Professional
Alliances
Threat Scenarios
Security Incident Management
process
Reac on plans
regularly tested
Reac on Plans
developed
Digital Threat
Intelligence
Digital Security Incident
Response Team
Cyber
Insurance
Crisis ManagementOther
Mechanisms to react to Informa on Security incidents
Besides a stable process, security incident
handling requires a broad range of techniques
Yes, cri cal assets are
monitored against intrusion
Yes, a Security Opera ons
Center (SOC) is deployed
Yes, business ac vi es are
monitored against fraud
No, procedures for a real- me
detec on are not implemented
Do not know
No, detec on procedures do
not exist
%
%
%
%
%
%
Industries
All

The average cost per security breach is constantly
growing every year
Informa on Security breaches
is the average cost per security
breach across all par cipants
Cost per security breaches per industry
Ø .
All
Consumer
Products, Retail
Energy & U li es Financial Services Manufacturing Other Life Sciences and
Healthcare
,
,
,
,
,
,
,
, ,
, ,
, ,
Industries
All
K €
number of security breaches

. . . . . . . . .
.
Only % of overall par cipants fully comply to the new
EU GDPR regula ons
Focus Topic - EU GDPR ( / )
Degree of EU GDPR compliance
Not at all To some extent Mostly Completely
%
Industries
All
of all par cipants fully comply to
EU GDPR regula ons

Se ng up or revising Privacy Impact Assessment is the
prevailing measure to ensure EU GDPR compliance
Focus Topic - EU GDPR ( / )
Review current databases, records, and archives
to see what is in place and what is missing to
meet record keeping and data reten on
requirements
Iden fy personal data, including "special" data
to determine their speciﬁc protec on
Top measures to ensure compliance with EU GDPR
Set up or revise Privacy Impact Assessment (PIA)
procedures to ensure that methods apply to
GDPR's Privacy-by-Design
%
%
%
Industries
All

% of par cipants already use cloud services - with
IT being the prevailing opera on
Focus Topic - Cloud Security ( / )
%
%
%
%
Not at all
To some extent
Mostly
Completely
IT
Marke ng and Sales
Opera ons
Customer Service
Finance
No/ None
%
%
%
%
%
%
Extent of cloud usage
Opera ons in the cloud
Industries
All

Screening of service providers and data encryp on are
the dominant measures to ensure Cloud Security
Focus Topic - Cloud Security ( / )
How Cloud Security is ensured
Screening of service providers to
ensure appropriateness
Encryp on of data
Determina on of legal liabili es
of the service provider
Regular reviews of the cloud
service provider
Holis c access management
Evalua on of the provider's
incident response policies
Other
%
%
%
%
%
%
%
Industries
All

DevOps is mainly adopted for faster resolu on of
problems and con nuous so ware delivery
Focus Topic - DevOps ( / )
Why companies adopt DevOps
Faster resolu on of problems
Con nuous so ware delivery
Reduced cost/ me
Greater professional
development opportuni es
Improved communica on and
collabora on
Increased ability to reproduce
and ﬁx defects
Increased test coverage
More stable opera ng
environments
Higher employee sa sfac on
and engagement
Reduced challenges related to
Dev and Ops collabora on
Less complexity to manage
Increased environment
u liza on
Other
%
%
%
%
%
%
%
%
%
%
%
%
%
%
of overall par cipants do not employ DevOps yet
Industries
All

Code reviews as well as secured and controlled
access to priviledged accounts are major controls
Focus Topic - DevOps ( / )
Which security controls companies integrate into DevOps
Code review for security sensi ve code por ons
Manage, secure and control access to privileged
accounts
Automated security tes ng techniques
Authen cate and authorize apps and container
access
Connect developers to security issues
Con nuous vulnerability assessment and
remedia on
Other
Standardizing the integra on cycle
Iden fy unsecured APIs and frameworks
Inventory and tracking of authorized and
unauthorized so ware
Conﬁgura on management systems
Map security sensi ve code por ons
Monitor user ac vity
Use a secure framework such as Spring Security,
JAAS, Apache Shiro, Symfony
%
%
%
%
%
%
%
%
%
%
%
%
%
%
Industries
All

Content
..... - Overall Security Maturity Assessments
..... - Individual Security Maturity Assessments
u
u
u
u

In general, all sectors show high maturity in the domain "Technology" with key improvement
poten als in the "Organiza on & People" domain - the overall maturity accounts to .
Overall Security Maturity Assesment ( / ) - Peer Group Overview
.
.
.
.
.
.
.
.
.
Overallsecuritymaturityassessment
Ø .Ø .Ø .Ø .Ø .Ø .Ø .
Strategy & Governance
Organiza on & People
Processes
Technology
Financial Services Energy & U li es Manufacturing
Consumer Products &
Retail
Life Sciences &
Healthcare
Logis cs &
Transporta on
Other

A correla on between the Informa on Security budget as percentage of IT budget and the maturity
level could not be detected - even with a small budget, high maturity levels can be achieved
Overall Security Maturity Assesment ( / ) - Maturity Level vs. Budget
Informa on Security Budget as percentage of IT budget
.
.
.
.
.
.
.
.
.
Maturitylevel
Mean
Mean
Financial Services
Energy & U li es
Manufacturing
Consumer Products & Retail
Life Sciences & Healthcare
Logis cs & Transporta on
Other
Security Master
The Innocent Security Pretenders
Cost-intensive Security
Showpieces

With an average maturity level of . , Example Company is below the average maturity level of
. of its peer group
Key ﬁndings
Overall Security Maturity Assessment
Example Company
. Governance Structure*
. IT Compliance Management
. IT Risk Management*
. BCM / DRM*
. Audits*
. Data Privacy
Total Average (All Par cipants)
. Strategy*
. Security Incident Repor ng*
. Org. Structures*
. Roles & Responsibili es
. Awareness*
. Security Expert Training*
. Informa on Security
Service Improvement
. Collabora on with
Corporate Security
. Rela onship with Business Units
. Social Media
. Iden ty and Access Management*
. Threat and Vulnerability Management*
. Patch Management**Informa on Classiﬁca on .
Vendor Management .
*Secure Applica on Development .
*Backup .
*Mobile Device Management .
Reten on & Inves ga on of Data .
Cloud Compu ng .
Physical User Access .
*Firewalls .
*Remote User Access .
*Network Intrusion Detec on .
*Wireless Networks .
Database Security .
*Server and System Security .
Endpoint Device Security .
*Applica on Security .
*Malicious Content Protec on .
Physical Control Systems .
* Cri cal element based on SANS Cri cal Controls
and Capgemini best prac ces (higher weigh ng for
risk evalua on)
Top Performer (Peer Group)
Peer Group
Top Performer
Server and System Security
Awareness
Mobile Device Management
Patch Management
Iden ty and Access Management
Peer Group Average

A well-defined audit process and an established rela onship to auditors is a key aspect in measuring
the effec veness of Informa on Security
36
Security Maturity Assessment – Domain "Strategy & Governance"
Example Company
1.1 Strategy*
1.2 Governance
Structures*
1.3 IT Compliance
Management
1.4 IT Risk
Management*
1.5 BCM / DRM*
1.6 Audits*
1.7 Data
Privacy
1.8 Security Incident
Repor ng*
* Cri cal element based on SANS Cri cal Controls and Capgemini best prac ces
(higher weigh ng for risk evalua on)
Capgemini’s high-level risk evalua on:
A
B
C
D
E
Low Risk Medium Risk High Risk
Peer Group Average
Energy & U li es
Current/Target
Current
Example Company lies in 6 out of 8 areas below the peer group
average in the domain “Strategy & Governance”
1.6 Audits* is below peer group average (Example Company: 1.0 vs. peers: 2.5).
Recommenda on: Defini on of process for audit planning, repor ng and for response to
findings, establishment of rela onship to auditors (internal & 3rd party)
1.5 BCM / DRM* is below peer group average (Example Company: 1.0 vs. peers: 2.1).
Recommenda on: Defini on of processes, roles & responsibili es, documenta on of plans
to meet defined recovery and business objec ves using business impact analysis
1.4 IT Risk Management* is below peer group average (Example Company: 1.0 vs. peers:
2.0).
Recommenda on: Defini on of processes, roles and responsibili es for risk management,
regular assessments, management of mi ga on measures and repor ng
1.3 IT Compliance Management is below peer group average (Example Company: 1.0 vs.
peers: 2.4).
Recommenda on: Defini on of processes, roles and responsibili es for compliance
management, consistent policy framework based on common standards (e.g. ISO 27001)
and repor ng in place
1.2 Governance Structures* is below peer group average (Example Company: 2.0 vs. peers:
2.7).
Recommenda on: Defini on of security steering commi ee with relevant stakeholders,
direct report to top management
© Capgemini Consul ng 2017. All rights reserved.
Top Performer
Energy & U li es
Peer Group Average

A holis c Informa on Security awareness campaign is the most effec ve solu on to tackle the
increasing number of a acks on employees
Security Maturity Assessment – Domain "Organiza on & People"
Example Company
. Org. Structures*
. Roles &
Responsibili es
. Awareness*
. Security
Expert Training*
. Informa on Security
Service Improvement
. Collabora on
with Corporate
Security
. Rela onship
with Business
Units
. Social Media
A
B
C
D
E
Peer Group Average
Manufacturing
Current/Target
Current
Top Performer
Manufacturing
average in the domain “Organiza on & People”
2.3 Awareness* is below peer group average (Example Company: . vs. peers: . ).
Recommenda on: Defini on of policies & channels for training and awareness campaigns,
roles and responsibili es, clean desk policy and signing of security instruc ons (including e.g.
rules, sanc ons) by employees and contractors
2.1 Org. Structures* is below peer group average (Example Company: . vs. peers: . ).
Recommenda on: Establishment of a security organiza on based on a documented repor ng
structure and defined roles and responsibili es
2.6 Collabora on with Corporate Security is below peer group average (Example Company:
. vs. peers: . ).
Recommenda on: Implementa on of infrequent communica on between Informa on
Security and Corporate Security when issues arise
2.4 Security Expert Training* is below peer group average (Example Company: . vs. peers:
. ).
Recommenda on: Establishment of mandatory training/ cer fica on for selected posi ons,
based on training plan
2.8. Social Media is below peer group average (Example Company: . vs. peers: . ).
Recommenda on: Implementa on of a documented social media policy, defini on of roles
and responsibili es for management of social media communica on
Peer Group Average

A structured patch management enables an efficient removal closing of security-related
vulnerabili es
Security Maturity Assessment – Domain "Processes"
Example Company
. Iden ty and
Access Management*
. Threat and Vulnerability
Management*
. . Patch
Management*
. Informa on
Classifica on*
. Vendor
Management
. . Secure Applica on
Development*
. Backup*
. Mobile
Device Management*
A
B
C
D
E
Peer Group Average
Current/Target
Current
Top Performer
average in the domain “Processes”
3.3 Patch Management* is below peer group average (Example Company: . vs. peers: . ).
Recommenda on: Defini on of processes, roles and responsibili es to install only tested and
approved patches in a mely manner
3.4 Informa on Classifica on* is below peer group average (Example Company: . vs. peers:
. ).
Recommenda on: Implementa on of a consistent classifica on policy, classifica on of all
informa on assets by documented asset owners based on cri cality, business needs and
regulatory requirements
3.8 Mobile Device Management* is below peer group average (Example Company: . vs.
peers: . ).
Recommenda on: Defini on of mobile device management (MDM) for all enterprise devices,
all devices encrypted, strong password policy enforced, BYOD policy for own devices (if
applicable)
3.2 Threat and Vulnerability Management* is below peer group average (Example Company:
. vs. peers: . ).
Recommenda on: Defini on of processes, roles and responsibili es to monitor threats, scan
vulnerabili es and implement ac ons
3.9 Reten on and Inves ga on of Data is below peer group average (Example Company: .
vs. peers: . ).
Recommenda on: Defini on of process to retain data from key systems based on internal &
external requirements and on (archiving) policy, defini on of roles and responsibili es,
formalized inves ga on procedures, legal team involved in inves ga ons
. Reten on &
Inves ga on
of Data
. Cloud Compu ng
. Physical User Access
Peer Group Average

Wireless networks should not only be logically separated from the corporate network but also
protected from an unauthorized physical manipula on of their access points
Security Maturity Assessment – Domain "Technology"
Example Company
. Firewalls*
. Remote User
Access*
. Network
Intrusion Detec on*
. Wireless
Networks*
. Database Security
. Server and System
Security*
. Endpoint Device
Security
. Applica on
Security*
A
B
C
D
E
Peer Group Average
Financial Services
Current/Target
Current
Top Performer
Financial Services
average in the domain “Technology”
4.4 Wireless Networks* is below peer group average (Example Company: . vs. peers: . ).
Recommenda on: Establishment of basic technologies and protocols to secure wireless
connec ons, access granted based on informal request
4.8 Applica on Security* is below peer group average (Example Company: . vs. peers: . ).
Recommenda on: Usage of advanced controls (e.g. strong authen ca on) based on clearly
defined policies incl. strong authen ca on and license management
4.2 Remote User Access* is below peer group average (Example Company: . vs. peers: . ).
Recommenda on: Effec ve usage of secure remote access, usage of two-way authen ca on,
monitoring of viola ons, risks and performance
4.9. Malicious Content Protec on* is below peer group average (Example Company: . vs.
peers: . ).
Recommenda on: Ongoing scanning for malicious content, monitoring of policy viola ons
and measuring of success rate
4.7 Endpoint Device Security is below peer group average (Example Company: . vs. peers:
. ).
Recommenda on: Usage of advanced endpoint controls (e.g. endpoint forensics) based on
clearly defined policies incl. configura on and license management
. . Malicious
Content
Protec on*
. . Physical Control
Systems
Peer Group Average

Content
..... - Capgemini Consul ng Cybersecurity Oﬀerings
..... - Questback Enterprise Feedback Solu ons
u
u
u
u

Capgemini Consul ng supports your company to beneﬁt from the Digital Transforma on and to
react appropriately to growing challenges
Company Proﬁle

Capgemini Consul ng relies on a strong and global Cybersecurity capability network within the
Capgemini Group
Capgemini Group oﬀers and capabili es

With the increasing complexity of organiza ons and the ongoing penetra on of SMACT
technologies, a “full perimeter” protec on is not feasible anymore
Trends in Cybersecurity

Our Strategic Cybersecurity Consul ng guides your organiza on through a secure Digital
Transforma on while leveraging the power of modern technologies
Capgemini Consul ng Cybersecurity Por olio (excerpt)

Capgemini performs its Cybersecurity & Informa on Protec on (CySIP) Maturity Assessment
based on a proven approach and standardized tools
Maturity Assessment & Strategy

Capgemini helps organiza ons to protect their cri cal informa on assets using op mal investment
strategies that minimize opera onal risk
Digital Risk & Data Privacy

We support organiza ons in establishing an Informa on Security Management System that
ensures an adequate setup and development of their Cybersecurity capabili es
Security Target Opera ng Model

Awareness ini a ves oﬀered by Capgemini leverage broad communica on campaigns and
targeted training for roles with high risk proﬁles
Awareness & Training

The Capgemini Group oﬀers a wide range of Manages Security Services (MSS) - Capgemini
Consul ng supports the transi on to prepare their clients for an eﬃcient opera on
Managed Security Services

Capgemini’s proven, easy-to-adopt solu ons and an extensive project experience enable us to
eﬃciently implement eﬀec ve Cybersecurity capabili es
Cybersecurity - why Capgemini Consul ng?

We constantly search for new customer solu ons and provide our customers latest research and
point of views on current and future topics
Capgemini Surveys and Benchmarks (examples)

Dr. Guido Kamann
Head of Business & Technology Innova on
Capgemini Suisse S.A.
Leutschenbachstrasse
CH- Zürich
Phone: +
E-Mail: guido.kamann@capgemini.com
Dr. Paul Lokuciejewski
Lead of Cybersecurity Consul ng
Capgemini Deutschland GmbH
Mainzer Landstraße -
Frankfurt
Phone: +
E-Mail: paul.lokuciejewski@capgemini.com
Thank You

Back Up

The risk evalua on is based on the devia on between the self assessment and the peer group
averages considering a weigh ng factor for the assessment controls
High-level risk evalua on logic

Maturity Level Descrip ons
Strategy & Governance Ques ons . - .
. Strategy: How does the Informa on Security func on strategically support business and IT
needs?
Best prac ce through con nuous improvement, InfoSec is cri cal part of business
strategy and business enabler
Level
Level Tracking of KPIs to monitor effec veness of support for business/IT
Defined process for Informa on Security strategy development and regular review,
aligned with business/IT
Level
Level Informal security strategy indirectly involved in decisions
Level No strategy, not involved in business/IT decisions
. IT Compliance Management: To which degree des IT compliance management support the
iden fica on of relevant laws, standards and other requirements to implement an effec ve policy
framework
Level
Level
Level
Level
Level Not IT compliance management func on in place
Inconsistent processes, loosely defined roles and minimal repor ng, inconsistent policies
Defined processes, roles and respons. for compliance mgmt., consistent policy framework
based on common standards (e.g. ISO ), repor ng
Regular view of policies, automa c company-wide collec on of security relevant data for
qualifica on of gaps/incidents, int. controls implemented
New requirements mely iden fied by ac ve research & automated alerts, near real- me
compliance data availability for decision-making
. Governance Structures: What is the maturity of governance structures for security decisions
(e.g. concerning support for bring-your own device (BYOD) to ensure involvement of all relevant
stakeholders?
Level
Level
Level
Level
Level
. IT Risk Management: How is the IR risk management func on implemented to support all
relevant stakeholders with InfoSec risk-related decisions?
Level
Level
Level
Level
Level
Visible security and risk steering commi ee for direc ons, involvement of top
management
Defined security steering commi ee with all relevant stakeholders, direct report to
management
Formal team for making InfoSec decisions, escala on mechanisms defined
Informal and ad-hoc decision structures for InfoSec in place
No decision structures for InfoSec
Business decisions use risk as key decision criteria, automated risk iden fica on,
con nuous improvement
Use of manual and automated key risk indicators for risk exposure tracking, business
decision consider risks
Defined processes, roles and responsibili es for risk, regular assessments, management
of mi ga on measures, repor ng
Inconsistent processes, loosely defined roles and minimal repor ng
No IT risk management func on in place

Strategy & Governance Ques ons . - .
. Business Con nuity and Disaster Recovery Management: How is business con nuity and
disaster recovery (BC/DR) implemented to maintain opera ons in the event of significant and
unexpected incidents?
Con nuously improved BC/DR plans and processes to meet risk, performance and
recovery objec ves
Level
Level
BC/DR plan is regularly reviewed & tested with all relevant stakeholders, training for
relevant stakeholders
Defined process, roles & responsibili es, documented plans to meet defined recovery and
business objec ves using business impact analysis
Level
Level Basic plans for keeping IT key systems running in case of poten al disasters
Level No BC/DR func on or plan exis ng
. Data Privacy: To which level is data privacy enforced to protect personal & business data and
adhere to laws and regula ons?
Level
Level
Level
Level
Level Privacy is not a topic, no idea who or which system uses personal data
Privacy receives a en on in some parts of organiza on, privacy accountability sca ered
Defined processes, roles and responsibili es for privacy management, organiza on wide
policy
Value of data privacy leveraged to improve reputa on and sale, audits performed
Privacy processes con nuously improved, part of organiza on culture
. Audits: How does the InfoSec organiza on / responsible person interact with auditors and
third party audits and how are their findings processed within the InfoSec organiza on?
Level
Level
Level
Level
Level
. Security Incident Repor ng: How are security incidents iden fied and reported to reduce risk
and nega ve impact to the organiza on?
Level
Level
Level
Level
Level
Close collabora on with auditors to op mize InfoSec value to organi-za on, automated
data collec on methods for real- me audit request
Predefined data collec on methods for mely auditor support, immediate response to
findings by automated process
Established rela onship to auditors (internal & rd party), defined process for audit
planning and for response to findings
Rare interac on with auditors, inconsistent process for response to audit findings
Audits not performed by auditors and third par es
Proac ve, automa c iden fica on of incidents, con nuous improvement for risk
minimiza on
Incident responses reviewed to measure efficiency, par ally automa c repor ng,
maintenance of loss history
Defined policy and process to report and respond to security incidents, contact persons
known
Individual repor ng and response to incidents when they arise
No processes to iden fy, report and respond to security incidents

Organiza on & People Ques ons . – .
. Informa on Security Organiza on Structures: To which degree are security organiza on
structures implemented to effec vely and efficiently support business and IT needs?
Con nuous improvement to increase performance, proac ve adjustment to upcoming
business changes
Level
Level
Security org structure reflects business organiza on, monitored to meet changing
business needs, defined and aligned HR strategy
Security organiza on based on documented repor ng structure and defined roles &
responsibili es
Level
Level
Inconsistent func ons distributed across teams, loosely defined roles and minimal
repor ng
Level No defined or understood structures for InfoSec func on
. Employee Training and Awareness: To what extent are security trainings and awareness
ini a ves offered to all employees for proper behavior related to security?
Level
Level
Level
Level
Level No employee training or awareness regarding security issues
Materials provided ad-hoc to promote awareness for arising issues, no concept
Defined policies & channels for training and awareness campaigns, defined roles and
responsibili es, clean desk policy
Holis c concept defined, awareness and training success measured (e.g. surveys),
mul plier network for effec ve implementa on
Trainings and awareness fully incorporated into corporate training plan &
communica on, proac ve search for relevant awareness topics
. Roles & Responsibili es: How are roles and responsibili es defined within Informa on
Security to support business?
Level
Level
Level
Level
Level
. Informa on Security Expert Training: How are expert trainings and cer fica ons for
Informa on Security staff managed to keep staff up-to-date with latest technologies, threats, best
prac ces, and business needs?
Level
Level
Level
Level
Level
Con nuous improvement of roles and responsibili es through ongoing reviews for
improved business support
Metrics used to track effec veness of roles and responsibili es, InfoSec roles widely
known
Documented roles and responsibili es for all InfoSec team members, incl. team’s role in
the organiza on
Basic roles and responsibili es for some InfoSec team members defined
No InfoSec division/ no defini on of roles and responsibili es
Proac ve investment in training/ cer fica on based on business and InfoSec strategy to
op mize en re InfoSec
Mandatory training/ cer fica on for all security staff, par cipa on/ success tracked,
training plan aligned with HR
Mandatory training/ cer fica on for selected posi ons, based on training plan
Infrequent training/ cer fica on for some staff, based on need or interest
No training/ cer fica on for security staff

Organiza on & People Ques ons . – .
. Informa on Security Service Improvement: To which degree are capabili es developed to
define, track and improve InfoSec services (e.g. personal background checks) for business users?
Con nuous improvement of InfoSec services and responses to business requires, InfoSec
seen as business enabler
Level
Level
Service KPIs tracked to ensure mee ng business goals, regular alignment with business to
support requirements defini on
Clearly defined services for business along with key performance indicators (KPI), process
for user complaints/feedback
Level
Level
Inconsistent and undocumented InfoSec services available, no mely reac on to business
complaints
Level No security team/ no specific InfoSec services offered
. Rela onship with Business Units How is the rela onship and interac on between Informa on
Security and other business units/ execu ves(e.g. legal) regarding effec ve collabora on and
coordina on?
Level
Level
Level
Level
Level No interac on, support or integra on of InfoSec staff with other units
Occasional, informal interac on, support, and/or integra on of InfoSec with other units
(e.g. informa on sharing)
Formal, documented rela onship of InfoSec func on for key business or func onal areas
Close collabora on and communica on with other units, use of joint success metrics
Con nuous improvement of collabora on to maximize security and business
performance, InfoSec viewed as essen al for business
. Coopera on with Corporate Security: What is the level of coopera on of Informa on Security
with Corporate Security, including physical security?
Level
Level
Level
Level
Level
. Social Media: How is the use of social media controlled to avoid security breaches resul ng
e.g. from disclosure of sensi ve informa on or spread of false, illegal or offensive informa on?
Level
Level
Level
Level
Level
Holis c integra on between InfoSec and Corporate Security processes and policies,
con nuous improvement of collabora on
Close collabora on with Corporate Security on mul ple topics, use of joint success
metrics
Collabora on with Corporate Security concerns few defined areas (e.g. access control)
Infrequent communica on between InfoSec and Corporate Security when issues arise
No coopera on with Corporate Security
Automa c, tool-based monitoring of social media contents, con nuous improvement of
reac on me
Access restricted by firewalls based on user’s role, manual monitoring of social media,
me-to-react measured
Documented social media policy, roles and responsibili es defined for management of
social media
Social media available to any employee without control of transmi ed data
Social media not used for company purposes

Processes Ques ons . – .
. Iden ty and Access Management: How is the iden ty and access management (IAM)
implemented to define, administrate and track logical access privileges across the corporate
systems?
Close collabora on between InfoSec department and business/HR for real- me
synchroniza on, con nuous improvement
Level
Level
Monitoring of user accesses to iden fy viola ons, regular review of privileges, managed
access to cloud solu ons and mobile devices
Defined processes, roles and responsibili es for IAM based on job func ons and access
policies, personalized accounts
Level
Level Basic access controls and provisioning systems for some IT assets
Level No IAM processes or tools in place
. Patch Management: What is the level of patch management to ensure that patches on
corporate devices (e.g. server, notebooks, data bases, mobile devices) are up-to-date to reduce
risks of security breaches?
Level
Level
Level
Level
Level No patch management func on or process in place
Patching occurs when needs arise, no documenta on and formal approval process
Defined processes, roles and responsibili es to install only tested and approved patches
Patch management par ally automated, ongoing monitoring, KPIs (e.g. me-to-patch)
measured on a regular basis
Best prac ce process, based on con nuous improvement, regular repor ng
. Threat and Vulnerability Management: How does the Informa on Security organiza on /
responsible person manage the iden fica on of threats and vulnerabili es to take appropriate
mi ga on ac ons?
Level
Level
Level
Level
Level
. Informa on Classifica on: How are informa on assets (e.g. documents, IT systems) iden fied,
classified and handled to manage data appropriate to its confiden ality level?
Level
Level
Level
Level
Level
Con nuous improvement of process effec veness and risk reduc on, ongoing automa c
vulnerabili es scan
Proac ve research for new threats and vulnerabili es, system controls accordingly
updated, company-wide SIEM for real- me monitoring
Defined processes, roles and responsibili es to monitor threats, scan vulnerabili es and
implement ac ons
Poten al threats and vulnerabili es addressed in response to industry news and alerts
No func on to manage threats or vulnerabili es
Regular review of classifica on criteria to improve support for business & risk
management needs
(Par ally) tool-enforced document classifica on, regular review of asset owners &
defined classifica on, monitoring access to sensi ve data
Consistent classifica on policy, classifica on of all info. assets by documented asset
owners based on business needs, regulatory requirements
Inconsistent classifica on for informa on assets
No processes for informa on asset management and classifica on

. Sourcing and Vendor Management: How is the sourcing and vendor management
implemented to maintain a desired level of security?
Risk as one of the key criteria for vendor decisions, standard evalua on of third-party
staff, ongoing process improvement
Level
Level
Audits of vendors to ensure compliance with defined requirements, formal & regular risk
evalua on of vendors
Sourcing and vendor management includes security and risk requirements, documented
sourcing strategy and SLAs
Level
Level Inconsistent processes for incorpora ng security into sourcing and vendor management
Level No procedures to incorporate security in sourcing or vendor management
. Backup: What is the level of data backup to protect business informa on?
Level
Level
Level
Level
Level Backup of data not performed
Backup of certain data performed on an ad hoc basis
Defined processes and backup policy, roles and responsibili es to backup all relevant data
Backup based on business needs, monitoring, data restoring tested, defined procedures
for authorized access, physically distributed backups
Best prac ce backup through con nuous improvement of processes (e.g. by KPIs such as
me-to-backup, me-to-restore) and tools
. Secure Applica on Development: To which degree are security procedures implemented to
ensure secure applica on development?
Level
Level
Level
Level
Level
. Mobile Devices: How are enterprise mobile devices (e.g. mobile phones, Smartphones, tablet
computers) managed to op mize security of a mobile communica ons networks?
Level
Level
Level
Level
Level
Con nuous invest in combina on of training & tools to improve secure development,
proac ve vulnerability analysis during development
Internal training, frequent tes ng, cer fied rdparty, monitoring of rd-party
developers, controls to avoid unauthorized access & change
Defined security requirements for all development projects, formal tes ng and reviews,
security policy for rdparty developer partners
Basic security tes ng and security review at key development milestones
Security not considered during applica on development
Con nuous improvement of mobile device security to increase business performance and
minimize risks
Regular review of installed apps on mobile devices, tool-based patching, iden fica on of
policy viola ons, automa c remote data erase
Defined mobile device management for all enterprise devices, all devices encrypted,
strong password policy enforced, BYOD policy for own devices
Some enterprise mobile devices are centrally managed, devices not encrypted
No centralized management of mobile devices

. Reten on and Inves ga on of Data: To what extent are processes for reten on (e.g.
archiving) and inves ga on of data implemented to comply
with laws and regula ons?
Automated life-cycle management for data collec on, reten on and destruc on,
specialized forensics team
Level
Level
Defined life-cycle management, centralized reten on of all relevant data incl. data
destruc on requirements, audits to enforce compliance
Defined process to retain data from key systems based on internal & external
requirements and on (archiving) policy, defined roles and responsibili es
Level
Level Data is retained for some systems based on requests, manual forensics
Level No capabili es or processes for data reten on and forensics analysis
. Physical User Access Management: To what extent is physical user access management
implemented in the organiza on?
Level
Level
Level
Level
Level Physical user access management is not in place
Physical access privileges are generated or changed ad-hoc on demand, basic entry
mechanisms (e.g. key lock)
Defined processes, roles and responsibili es, privileges based on job func ons & access
policies, advanced entry mechanisms, visitors escorted
Monitoring of user accesses to iden fy viola ons, regular review of privileges, physical
access mechanisms regularly maintained
Close collabora on between InfoSec department and business/HR for real- me
synchroniza on, con nuous improvement
. Cloud Compu ng: To what extent is a secure usage of private and public clouds (e.g. SaaS or
IaaS) implemented in the organiza on?
Level
Level
Level
Level
Level
Con nuous op miza on of cloud security controls, tool-based orchestra on of clouds to
reduce security risks
Tes ng of classifica on policy adherence, audits of cloud provider, security-related issues
part of cloud provider contracts
Use of private and public cloud based on policy (e.g. selec on of provider due to server
loca on), data transmission based on classifica on policy
Public clouds used as needed, transmi ed data is not controlled
Public cloud service are not used

Technology Ques ons . – .
. Firewalls: To which degree are central and/ or device-specific firewalls installed to restrict
network-level access from one network to another?
Ongoing improvement of firewalls to support business needs and minimize riskLevel
Level Firewalls deployed extensively, ongoing monitoring, regular audit of firewall rules
Firewalls deployed selec vely, documented policies and processes to manage rulesLevel
Level Firewalls deployed to protect several loca ons as needs arise
Level No network firewalls installed
. Network Intrusion Protec on: What is the level of network intrusion protec on to detect and
block noncompliant network traffic?
Level
Level
Level
Level
Level No controls to inspect or block network traffic
Some intrusion detec on capabili es for selected network segments
IDS and/or IPS (intrusion detec on/protec on systems) deployed at high risk interfaces,
based on policy, documented configura on
IDS and/or IPS deployed with metrics to track performance, monitoring, regular review of
configura on
IPS and/or IDS with ongoing measuring to maximize performance and security
. Remote User Access: How does the Informa on Security organiza on / responsible person
support secure access for remote users to corporate network and systems?
Level
Level
Level
Level
Level
. Wireless Network: To what extent is wireless access to network resources secured?
Level
Level
Level
Level
Level
Con nuous improvement to increase performance and reduce risk, proac ve
iden fica on of vulnerabili es
Effec ve use of secure remote access, use of two-way authen ca on, monitoring of
viola ons
Formal mechanisms (e.g. IPSec or SSL VPN) in place, clear policies and user understanding
Basic technologies to allow some instances of remote connec on on request
No method in place to allow secure remote connec ons
Con nuous improvement of wireless security (e.g. use of recent protocols), performance
and risk improvement
Monitoring of log files&policy viola ons, guest access provision system, regular wireless
vulnerability assessment, wireless intrusion preven on
Formal process for WiFi access account crea on, encrypted communic., physically
secured access points, guests without full network access
Basic technologies and protocols to secure wireless connec ons, access granted based on
informal request
No mechanism to allow protected wireless connec ons

. Database Security: How does the Informa on Security organiza on / responsible person use
database security technologies to maintain the confiden ality and integrity of stored data?
Con nuous op miza on of security controls to support business needs and risk objec vesLevel
Level
Scanning of databases to detect vulnerabili es, database configura on and log files
monitored on regular basis, protec on of log files, repor ng
Use of advanced database controls based on clearly defined policies incl. manual log file
checking and audits
Level
Level Only use of basic database security controls on an ad hoc basis
Level No use of basic database security controls (such as encryp on, monitoring)
. Endpoint Device Security: How are endpoint devices protected to maintain their
confiden ality, integrity and availability?
Level
Level
Level
Level
Level No use of basic endpoint security controls
Only use of basic endpoint security controls on an ad hoc basis (such as an virus or
firewalls)
Use of advanced endpoint controls based on clearly defined policies incl. configura on
and license management
Scanning for unauthorized applica ons and peripherals, monitoring of policy viola ons,
use of data leak preven on (DLP)
Con nuous op miza on of security controls to support business needs and risk objec ves
. Server and System Security: How are corporate servers and systems protected to maintain
their confiden ality, integrity and availability?
Level
Level
Level
Level
Level
. Applica on Security: How are applica ons protected to maintain their confiden ality,
integrity and availability?
Level
Level
Level
Level
Level
Scanning of servers to detect vulnerabili es, server configura on and log files monitored
on regular basis, use of data leak preven on (DLP)
Use of advanced server controls based on clearly defined policies incl. configura on and
license management
Only use of basic server security controls on an ad hoc basis (such as an virus or firewall)
No use of server security controls
Scanning of applica ons for vulnerabili es, log files monitored on regular basis
Use of advanced controls based on clearly defined policies incl. strong authen ca on and
license management
Only use of basic applica on security controls on an ad hoc basis (such as vulnerability
tes ng or firewalls)
No use of basic applica on security controls

. Malicious Content Protec on: How is the infrastructure protected against malicious content
(e.g. trojans) and how is confiden al content protected against mishandling?
Con nuous op miza on of security technologies to support business needs and risk
objec ves
Level
Level Ongoing scanning for malicious content, monitoring of policy viola ons
Use of advanced security technologies based on clearly defined policies, message
encryp on used
Level
Level
Only use of basic security technologies on an ad hoc basis (such as web filtering or
an spam)
Level No use of basic message or content security technologies
. Physical Control Systems: How are physical control systems (protec on against external and
environmental threats AND industrial control systems (ICS) to monitor and/or control physical
processes) managed?
Level
Level
Level
Level
Level
Con nuous op miza on and preven ve maintenance of security control systems to
support business needs and risk objec ves
Control systems monitored to iden fy threats, scanning for vulnerabili es, unauthorized
access and policy viola ons, regular maintenance
Defined processes, policies, roles and responsibili es for use of advanced security control
systems (e.g., -phases USP, fire alarm, ICS)
Only use of basic security control systems (e.g. fire ex nguisher)
No use of physical control systems

Capgemini Consulting Information Security Benchmarking 2017

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Capgemini Consulting Information Security Benchmarking 2017

Ähnlich wie Capgemini Consulting Information Security Benchmarking 2017 (20)

Mehr von Capgemini

Mehr von Capgemini (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Capgemini Consulting Information Security Benchmarking 2017