The MAPP methodology is comprised of three steps – a Maturity Assessment, Profile, and Plan. With this methodology, a CISO measures the maturity of key business processes in a robust, reliable, repeatable approach to communicate the organization’s security posture, and to engage with management in benchmarking, gap analysis and process improvement planning.
Maturity assessments are the basis by which a CISO can measure the effectiveness of the organization’s cyber security capability. When aggregated across all of the organization’s security processes, the maturity measures provide a unique security profile of the organization. Presented with clear information about the maturity of the various security processes, the CISO and management can now perform a gap-analysis between the current maturity level and the desired maturity level and determine if the organization is performing at the level that it should be.
When that is not the case, appropriate remediation efforts can be planned, and appropriately funded now that management better understands the maturity gap as well as where and why those resources will be spent.
MAPP isn’t about conducting an audit but about measuring performance of required security processes based upon the business needs, industry, or regulation.