Genuine Parts Company determined that its initial cyber maturity assessment needed to create a baseline against a common framework that aligns with NIST CSF and the ISO 27001 controls. Genuine Parts needed to assess multiple units, demonstrate maturity that was aligned with the NIST CSF, and specifically focus on demonstrating maturity performance in managing risk; not just compliance-based.
Genuine Parts customized the CMMI Cybermaturity Platform to target these specific areas for improvement in their assessment.
- Apply governance elements
- Apply risk strategy
- Implement risk management
- Implement risk identification
- Ensure access control management
- Apply data security protection
- Apply organizational training
- Ensure trustworthy systems
- Apply operational protection provisions
- Apply protection planning
- Apply protective technology provisions
- Apply cybersecurity incident detection
- Apply continuous monitoring
- Apply incident response
- Apply incident handling
- Apply incident recovery
The Solution
Genuine Parts selected the CMMI Cybermaturity Platform because of its alignment with globally recognized standards, particularly the NIST Cyber Security Framework (CSF), as it is already an industry benchmark with risk-based controls, as well as its Informative References and alignments across the 20 CIS (Center for Internet Security®) Cyber Security Controls, COBIT Controls, ISA–62443-2-1–2009 (Security for Industrial Automation and Control Systems), ISO/IEC 27001 INFOSEC Controls, and the federal controls NIST SP 800-53 Rev. 4 -1 provide additional utility. To succeed, Genuine Parts determined that its initial CMMI Cybermaturity Platform maturity assessment model be:
- Digital
- Risk-based
- Provide a risk profile/map
- Easy to use
- Customizable
- Self-paced
- Align to the NIST Cyber Security Framework (CSF)
- Align to the ISO 27001 Controls for ease of self-assessment and improvement
- Produce a roadmap for improvement
As Genuine Parts developed its customized risk profile, the descriptors for each frequency of occurrence values led to invaluable discussions among the Genuine Parts senior leaders. Without these definitions, calibrating their current state and then defining improvement goals would have been nearly impossible.
In addition, using the CMMI Cybermaturity Platform Maturity Scorecard within each Practice Area Assessment allowed employees to review and understand the People, Process, and Technology (PPT) objective for each maturity level, and its relative ISO 27001 Informative Reference by Maturity Level. This view provided specific insights for measured vs. targeted maturity levels—an eye-opening experience and a rallying cry for achieving continuous improvement.
Key Performance Goals Achieved
While the Genuine Parts Company Enterprise Security Team could not control the number of security incident tasks it received, it could control how it handled their resolution in a more efficient and timely manner.
Since the CMMI Cybermaturity Platform self-assessment in January 2020, they have:
- Reduced Mean Time to Task Resolution (MTTR) from nearly 24 days (23.9) over the previous three quarters to an average of 6.5 days for the first two quarters in 2020
- Decreased the range of Backlog Days for Tasks from as high as 117 days during the previous three quarters, to a low of six days for the first two quarters in 2020
Editor’s note: Read the full Genuine Parts case study. For additional resources on cyber maturity, including a video on how ISACA’s CMMI® Cybermaturity Platform helps CISOs, CIOs, and large enterprise organizations build cyber maturity, visit ISACA’s cyber maturity page.