H24 Maturity Framework
Our H24 “Honeycomb” is helpful when an organization is or wants to be aligned with an authoritative source such as NIST CSF or ISO 27k and is unsure which improvements to prioritize, and what their capabilities should specifically look like.
H24 is a capabilities maturity framework that helps organizations visualize, evaluate, and prioritize cybersecurity investments.
The H24 Framework:
Assesses security capabilities across Governance, Programs and Operations domains
Maps to the NIST CSF, ISO 27001, HIPAA, HICP, and other authoritative sources, but provides more specific guidance on the characteristics of modern capabilities
Uses objective criteria to describe each maturity level and recommended practices
Each of H24’s tiles has clearly-defined objective criteria for each maturity level that we use to evaluate your program and develop specific recommendations for improvement. The below sample represents the objective criteria we use for just one of the H24 tiles.
Example Objective Criteria – Privileged Access Management
Maturity Level 1 - Initial
- Cybersecurity inventories and reviews domain administrator accounts with IT for appropriateness, a minimum of annually.
- Hard coded passwords and privileged password sheets are prohibited by policy.
- Powerful account privileges are separate from standard user accounts.
- Cybersecurity helps critical application owners and custodians review and reduce the number of privileged accounts.
Maturity Level 2 - Repeatable
- Privileged network accounts are hardened including reduction of trusts and rights, logging, and reduction in use of local administrator.
- Privileged account use logs are identified and available for inspection, even if in decentralized platforms.
Maturity Level 3 - Defined
- A defined PAM governance policy is in place that defines privileged accounts and defines the process to ensure that accounts are created, documented, assigned, used, and monitored.
- Cybersecurity maintains a list of known privileged network, database and critical application accounts and risk ranks them.
- Monitoring and correlation rules are developed in SIEM/UEBA including privileged network, database and priority application logins.
- Local administrator use is removed from all domain-joined workstations and monitored for compliance.
- A password vault platform helps govern privileged domain and local administrative accounts, requiring check-in/checkout procedures.
- Standard operating system images use protected memory space for password and secret storage (such as W10 credential guard with TPM chip).
Maturity Level 4 - Adaptable
- Password vaulting tools are extended beyond domain and workstation administrative accounts to other types of systems, including network infrastructure, databases, and application-level accounts.
- Checkout of privileged accounts requires multi-factor authentication.
- Password vaulting is implemented in such a manner that critical artifacts, such as password hashes, are not able to be exploited for access after they are used.
- Privileged accounts follow quarterly recertification processes by their owners and custodians.
- The password vault is hardened and closely monitored in SIEM/UEBA rules and requires multi-factor authentication to administer.
- SIEM/UEBA behavioral rules and algorithms create alerts on unusual privilege use, creation of new powerful accounts, etc for investigation by the CyberSOC.
- A responsible team conducts annual risk assessment of privileged account attack vectors to improve preventive and detective controls.
- A responsible team operates privileged account discovery tools on a quarterly basis to identify and investigate new privileged accounts.
Maturity Level 5 - Optimized
- Application and service accounts use PAM tools for systems interfaces, secret management, and SSH & API key management.
- Cloud infrastructures operate at parity with on-premise systems for PAM processes, using on-premise tools or cloud-based systems like AWS Secrets Manager or Azure Key Vault.
- The organization uses PAM tools for managing social media accounts.
Supplier access is governed by PAM tools and processes for all remote access and support needs. - Privileged session recording is enabled for full audit trails of privilege use.
- Cybersecurity searches for hard-coded privileged accounts in source code on file shares, collaborating with stakeholders to remove them and replace with secure solutions.
- Service and Application accounts are designed with A2A (Application to Application) relationships.
- Dedicated directory architecture designs have been implemented (such as AD Red Forest or ESAE) to further reduce attack surface and ability for attackers to gain access.
- The “Clean Source” principle only allows access to PAM tools from hardened, dedicated systems disconnected from the internet and email.
We recommend a prioritized roadmap with targeted milestones to help you achieve your desired state.
Love the "Honeycomb"?
Discover the Epic Security Program “Honeycomb”