A Practical Application of CMM to Medical Security Capability

Document Type

Journal Article




Faculty of Computing, Health and Science


School of Computer and Information Science / Centre for Security Research




Williams, P. (2008). A practical application of CMM to medical security capability. Information management & computer security (0968-5227), 16 (1), p. 58-73. Available here


Purpose – The manner in which information is used and communicated in the medical environment has been revolutionized by the introduction of electronic storage, manipulation and communication of information. This change has brought with it many challenges in information security. This research seeks to propose a practical application, the capability maturity model (CMM), to meet the needs of medical information security practice. Design/methodology/approach – This paper builds on previous work by the author using the Tactical Information Governance for Security model developed for the medical setting. An essential element of this model is the ability to assess current capability of a practice to meet the needs of security and to identify how improvements can be made. Existing CMM models are reviewed to inform construction of an operational framework for capability assessment. Findings – An operational capability framework for assessing security capability in medical practice, based on CMM principles, is presented. An example of the use of this framework is modelled using backup to provide proof of concept. Practical implications – In an environment that is reliant on doctors and non-technical staff to implement security, an operational framework to improve practice though capability evaluation is needed. The framework presents activities in simple, non-technical terms and separates these activities into discrete sections resulting in improvement that can be easily managed and implemented. Originality/value – The operational framework developed demonstrates how practical security practice improvement can be achieved in a medical environment, whilst meeting strategic objectives, best practice and external validation. This paper develops this process through exploration and application of existing CMMs





Link to publisher version (DOI)