Using Capability Maturity Model to Assess the Effectiveness of Information Security Controls in an Organization

Using Capability Maturity Model to Assess the Effectiveness of Information Security Controls in an Organization

Lewis Kwaku Duah

Many organizations have deployed various systems to facilitate the operations of their businesses, largely due to the benefits derived from the use of information technology. In spite of the numerous benefits derived from the use of information technology, its use brings about increased risks and/or threats to business processes. There is therefore the important task of protecting these systems from abuse and exploitation by both internal and external factors. To achieve this, organizations deploy and institute various controls to mitigate identified and inherent risks. In spite of these implemented controls, organizations have lost huge amounts of funds, resources and trade secrets with its attendant loss in reputation from compromises in their systems. These compromises could have been averted and cost to the organization minimized or eliminated with continuous auditing by internal and external entities which would have highlighted the areas of weakness to enable the organization address them. The study was to provide organizations with an avenue to assess the effectiveness of implemented information security controls using the capability maturity model. A conceptual audit framework was also developed from which audit test cases can be created to test the implemented controls.

MSc Management In Information Systems

Ghana Technology University College

January 2017

Dominic K. Louis