A practical application of CMM to medical security capability

Purpose – The manner in which information is used and communicated in the medical environment has been revolutionized by the introduction of electronic storage, manipulation and communication of information. This change has brought with it many challenges in information security. This research seeks to propose a practical application, the capability maturity model (CMM), to meet the needs of medical information security practice.Design/methodology/approach – This paper builds on previous work by the author using the Tactical Information Governance for Security model developed for the medical setting. An essential element of this model is the ability to assess current capability of a practice to meet the needs of security and to identify how improvements can be made. Existing CMM models are reviewed to inform construction of an operational framework for capability assessment.Findings – An operational capability framework for assessing security capability in medical practice, based on CMM principles, is pre...

[1]  Mark C. Paulk,et al.  The Capability Maturity Model , 1991 .

[2]  Rick Hefner Lessons Learned with the Systems Security Engineering Capability Maturity Model , 1997, Proceedings of the (19th) International Conference on Software Engineering.

[3]  James D. Herbsleb,et al.  Software quality and the Capability Maturity Model , 1997, CACM.

[4]  John P. Hopkinson THE RELATIONSHIP BETWEEN THE SSE-CMM AND IT SECURITY GUIDANCE , 1999 .

[5]  Roderick Neame,et al.  Computerisation and health care: some worries behind the promises , 1999 .

[6]  Nadir Belkhiter,et al.  Selecting continuous training program and activities for computer professionals , 2001, Comput. Educ..

[7]  Ronald L. Krutz,et al.  The CISSP Prep Guide: Mastering the Ten Domains of Computer Security , 2001 .

[8]  Paul Williams Information Security Governance , 2001, Inf. Secur. Tech. Rep..

[9]  William E. Hefley,et al.  People Capability Maturity Model (P-CMM) Version 2.0 , 2001 .

[10]  Luo Huai,et al.  System Security Engineering Capability Maturity Model , 2003 .

[11]  Mark C. Paulk Surviving the Quagmire of Process Models, Integrated Models, and Standards , 2004 .

[12]  Gary Klein,et al.  An exploration of the relationship between software development process maturity and project performance , 2004, Inf. Manag..

[13]  Mark Ciampa Security Awareness: Applying Practical Security in Your World , 2004 .

[14]  Timo Jokela,et al.  Evaluating the user-centredness of development organisations: conclusions and implications from empirical usability capability maturity assessments , 2004, Interact. Comput..

[15]  Austen Rainer,et al.  Defining a Requirements Process Improvement Model , 2005, Software Quality Journal.

[16]  Yasser Saleh,et al.  An alternative model for measuring the success of IS projects: the GPIS model , 2005, J. Enterp. Inf. Manag..

[17]  Didar Zowghi,et al.  A Maturity Model for the Implementation of Software Process Improvement: an Empirical Study , 2022 .

[18]  Steven Furnell,et al.  The challenges of understanding and using security: A survey of end-users , 2006, Comput. Secur..

[19]  Daniel Galin,et al.  Are CMM Program Investments Beneficial? Analyzing Past Studies , 2006, IEEE Software.

[20]  Sun-Jen Huang,et al.  Selection priority of process areas based on CMMI continuous representation , 2006, Inf. Manag..

[21]  Onur Demirörs,et al.  Utilization of statistical process control (SPC) in emergent software organizations: Pitfalls and suggestions , 2006, Software Quality Journal.

[22]  Patricia A. H. Williams Information Governance: A Model for Security in Medical Practice , 2007, J. Digit. Forensics Secur. Law.

[23]  Patricia A. H. Williams When trust defies common security sense , 2008, Health Informatics J..