{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,15]],"date-time":"2025-10-15T17:17:57Z","timestamp":1760548677418,"version":"3.41.2"},"reference-count":36,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2008,3,21]],"date-time":"2008-03-21T00:00:00Z","timestamp":1206057600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2008,3,21]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-heading\">Purpose<\/jats:title><jats:p>The manner in which information is used and communicated in the medical environment has been revolutionized by the introduction of electronic storage, manipulation and communication of information. This change has brought with it many challenges in information security. This research seeks to propose a practical application, the capability maturity model (CMM), to meet the needs of medical information security practice.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Design\/methodology\/approach<\/jats:title><jats:p>This paper builds on previous work by the author using the Tactical Information Governance for Security model developed for the medical setting. An essential element of this model is the ability to assess current capability of a practice to meet the needs of security and to identify how improvements can be made. Existing CMM models are reviewed to inform construction of an operational framework for capability assessment.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Findings<\/jats:title><jats:p>An operational capability framework for assessing security capability in medical practice, based on CMM principles, is presented. An example of the use of this framework is modelled using backup to provide proof of concept.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Practical implications<\/jats:title><jats:p>In an environment that is reliant on doctors and non\u2010technical staff to implement security, an operational framework to improve practice though capability evaluation is needed. The framework presents activities in simple, non\u2010technical terms and separates these activities into discrete sections resulting in improvement that can be easily managed and implemented.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Originality\/value<\/jats:title><jats:p>The operational framework developed demonstrates how practical security practice improvement can be achieved in a medical environment, whilst meeting strategic objectives, best practice and external validation. This paper develops this process through exploration and application of existing CMMs.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685220810862751","type":"journal-article","created":{"date-parts":[[2008,4,5]],"date-time":"2008-04-05T07:10:21Z","timestamp":1207379421000},"page":"58-73","source":"Crossref","is-referenced-by-count":21,"title":["A practical application of CMM to medical security capability"],"prefix":"10.1108","volume":"16","author":[{"given":"Patricia","family":"Williams","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2022031719514835300_b1","doi-asserted-by":"crossref","unstructured":"Beecham, S., Hall, T. and Rainer, A. (2005), \u201cDefining a requirements process improvement model\u201d, Software Quality Journal, Vol. 13 No. 3, pp. 247\u201080.","DOI":"10.1007\/s11219-005-1752-9"},{"key":"key2022031719514835300_b2","doi-asserted-by":"crossref","unstructured":"Boulet, M\u2010M., Dupuis, C. and Belkhiter, N. (2001), \u201cSelecting continuous training program and activities for computer professionals\u201d, Computers and Education, Vol. 36 No. 1, pp. 83\u201094.","DOI":"10.1016\/S0360-1315(00)00057-9"},{"key":"key2022031719514835300_b3","unstructured":"BSI Technische Leitlinie (2004), \u201cRisk analysis based on IT baseline protection model\u201d, available at: www.bsi.bund.de\/english\/gshb\/riskanalysis\/risiko_en.pdf."},{"key":"key2022031719514835300_b4","unstructured":"Carnegie Mellon University (2003), \u201cSystems security engineering capability maturity model (SSE\u2010CMM): Model Description Document Version 3.0\u201d, available at: www.sse\u2010cmm.org\/docs\/ssecmmv3final.pdf."},{"key":"key2022031719514835300_b5","unstructured":"Center for Software Engineering (2002), COCOMO, available at: sunset.usc.edu\/research\/COCOMOII\/."},{"key":"key2022031719514835300_b6","unstructured":"CERT (2003), OCTAVE, available at: www.cert.org\/octave\/."},{"key":"key2022031719514835300_b7","unstructured":"Ciampa, M. (2007), Security Awareness: Applying Practical Security in your World, 2nd ed., Thompson Course Technology, Boston, MA."},{"key":"key2022031719514835300_b8","doi-asserted-by":"crossref","unstructured":"Curtis, B., Hefley, W.E. and Miller, S.A. (2001), \u201cPeople capability maturity model (P\u2010CMM)\u201d, available at: www.sei.cmu.edu\/pub\/documents\/01.reports\/pdf\/01mm001.pdf.","DOI":"10.21236\/ADA388676"},{"key":"key2022031719514835300_b9","unstructured":"Dictionary.com (2007), available at: dictionary.reference.com\/."},{"key":"key2022031719514835300_b10","doi-asserted-by":"crossref","unstructured":"Furnell, S.M., Jusoh, A. and Katsabas, D. (2006), \u201cThe challenges of understanding and using security: a survey of end\u2010users\u201d, Computers and Security, Vol. 25 No. 1, pp. 27\u201035.","DOI":"10.1016\/j.cose.2005.12.004"},{"key":"key2022031719514835300_b11","doi-asserted-by":"crossref","unstructured":"Galin, D. and Avrahami, M. (2006), \u201cAre CMM program investments beneficial? Analyzing past studies\u201d, IEEE Software, Vol. 23 No. 6, pp. 81\u20107.","DOI":"10.1109\/MS.2006.149"},{"key":"key2022031719514835300_b12","doi-asserted-by":"crossref","unstructured":"Hefner, R. (1997), \u201cLessons learned with the systems security engineering capability maturity model\u201d, Proceedings of the 19th International Conference on Software Engineering, Boston, MA, USA.","DOI":"10.1145\/253228.253454"},{"key":"key2022031719514835300_b13","unstructured":"Heiser, J.G. (2004), \u201cThe regulation of information security\u201d, Intermedia, Vol. 32 No. 2, p. 29."},{"key":"key2022031719514835300_b14","doi-asserted-by":"crossref","unstructured":"Herbsleb, J., Zubrow, D., Goldenson, D., Hayes, W. and Paulk, M.C. (1997), \u201cSoftware quality and the capability maturity model\u201d, Communications of the ACM, Vol. 40 No. 6, pp. 30\u201040.","DOI":"10.1145\/255656.255692"},{"key":"key2022031719514835300_b15","unstructured":"Hopkinson, J.P. (1996), \u201cSystem security engineering capability maturity model organization profiles\u201d, available at: www.sse\u2010cmm.org\/docs\/sse\u2010cmm.pdf."},{"key":"key2022031719514835300_b16","unstructured":"Hopkinson, J.P. (2001), \u201cThe relationship between the SSE\u2010CMM and IT security guidance documentation\u201d, The SSE\u2010CMM and IT Security Guidance Documentation, available at: www.issea.org\/docs\/sse\u2010guides_2001.pdf."},{"key":"key2022031719514835300_b17","doi-asserted-by":"crossref","unstructured":"Huang, S\u2010J. and Han, W\u2010M. (2006), \u201cSelection priority of process areas based on CMMI continuous representation\u201d, International Journal of Information Management, Vol. 43 No. 3, pp. 297\u2010307.","DOI":"10.1016\/j.im.2005.08.003"},{"key":"key2022031719514835300_b18","unstructured":"InfoEdge (2007), \u201cStrategic IT planning and governance: 4.2 IT governance maturity model\u201d, available at: www.infoedge.com\/in\/IN\u20106002SITGMM.pdf."},{"key":"key2022031719514835300_b19","doi-asserted-by":"crossref","unstructured":"ISACA (2006), Information security governance, available at: www.isaca.org\/Content\/NavigationMenu\/Security\/CISM_Certification\/Exam_Information1\/Content_Areas1\/Information_Security_Governance.htm.","DOI":"10.1201\/9781420013252.ch1"},{"key":"key2022031719514835300_b20","unstructured":"ISACA (2007), COBIT, available at: www.isaca.org\/template.cfm?Section\u2009=\u2009COBIT6."},{"key":"key2022031719514835300_b21","unstructured":"ISO (2005), \u201cISO\/IEC 17799:2005 information technology \u2013 security techniques \u2013 code of practice for information security management\u201d, available at: www.iso.ch\/iso\/en\/prods\u2010services\/popstds\/informationsecurity.html."},{"key":"key2022031719514835300_b22","doi-asserted-by":"crossref","unstructured":"Jiang, J.J., Klein, G., Hwang, H\u2010G., Huang, J. and Hung, S\u2010Y. (2004), \u201cAn exploration of the relationship between software development process maturity and project performance\u201d, Information & Management, Vol. 41 No. 3, pp. 279\u201088.","DOI":"10.1016\/S0378-7206(03)00052-1"},{"key":"key2022031719514835300_b23","doi-asserted-by":"crossref","unstructured":"Jokela, T. (2004), \u201cEvaluating the user\u2010centredness of development organisations: conclusions and implications from empirical usability capability maturity assessments\u201d, Interacting with Computers, Vol. 16 No. 6, pp. 1095\u2010132.","DOI":"10.1016\/j.intcom.2004.07.006"},{"key":"key2022031719514835300_b24","unstructured":"Krutz, R.L. and Vines, R.D. (2001), The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, WileyNew York, NY."},{"key":"key2022031719514835300_b25","doi-asserted-by":"crossref","unstructured":"Neame, R. and Kluge, E\u2010H. (1999), \u201cComputerisation and health care: some worries behind the promises\u201d, British Medical Journal, Vol. 319 No. 7220, p. 1295.","DOI":"10.1136\/bmj.319.7220.1295"},{"key":"key2022031719514835300_b26","doi-asserted-by":"crossref","unstructured":"Niazi, M., Wilson, D. and Zowghi, D. (2005), \u201cA maturity model for the implementation of software process improvement: an empirical study\u201d, The Journal of Systems and Software, Vol. 74 No. 2, p. 155.","DOI":"10.1016\/j.jss.2003.10.017"},{"key":"key2022031719514835300_b27","unstructured":"Paulk, M.C. (2004), \u201cSurviving the quagmire of process models, integrated models, and standards\u201d, Annual Quality Congress Proceedings, Vol. 58, pp. 429\u201038."},{"key":"key2022031719514835300_b28","unstructured":"RACGP (2005a), RACGP standards for general practice, available at: www.racgp.org.au\/standards."},{"key":"key2022031719514835300_b29","unstructured":"RACGP (2005b), \u201cRACGP standards for general practice: criterion 4.2.2 \u2013 information security\u201d, available at: www.racgp.org.au\/Content\/NavigationMenu\/PracticeSupport\/StandardsforGeneralPractices\/Criterion4.2.2_Information_security.pdf."},{"key":"key2022031719514835300_b30","doi-asserted-by":"crossref","unstructured":"Saleh, Y. and Alshawi, M. (2005), \u201cAn alternative model for measuring the success of IS projects: the GPIS model\u201d, Journal of Enterprise Information Management, Vol. 18 No. 1, pp. 47\u201063.","DOI":"10.1108\/17410390510571484"},{"key":"key2022031719514835300_b31","doi-asserted-by":"crossref","unstructured":"Sargut, K.U. and Demir\u00f6rs, O. (2006), \u201cUtilization of statistical process control (SPC) in emergent software organizations: pitfalls and suggestions\u201d, Software Quality Journal, Vol. 14 No. 2, pp. 135\u201057.","DOI":"10.1007\/s11219-006-7599-x"},{"key":"key2022031719514835300_b32","unstructured":"Schattner, P. (2005), The GPCG Computer Security Self\u2010assessment Guideline and Checklist for General Practitioners, Department of General Practice, Monash University, East Bentleigh."},{"key":"key2022031719514835300_b33","unstructured":"Software Engineering Institute (2006), What is CMMI?, available at: www.sei.cmu.edu\/cmmi\/general\/general.html."},{"key":"key2022031719514835300_b34","unstructured":"University of Massachusetts Dartmouth (n.d.), \u201cSEI capability maturity model\u201d, available at: www2.umassd.edu\/swpi\/processframework\/cmm\/cmm.html."},{"key":"key2022031719514835300_b35","doi-asserted-by":"crossref","unstructured":"Williams, P.A.H. (2007a), \u201cInformation governance: a model for security in medical practice\u201d, Journal of Digital Forensics, Security and Law, Vol. 2 No. 1.","DOI":"10.15394\/jdfsl.2007.1017"},{"key":"key2022031719514835300_b36","doi-asserted-by":"crossref","unstructured":"Williams, P.A.H. (2007b), \u201cWhen trust defies common security sense\u201d, Health Informatics Journal, June.","DOI":"10.1177\/1081180X08092831"}],"container-title":["Information Management &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09685220810862751","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220810862751\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220810862751\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:09:04Z","timestamp":1753402144000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/16\/1\/58-73\/179049"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2008,3,21]]},"references-count":36,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2008,3,21]]}},"alternative-id":["10.1108\/09685220810862751"],"URL":"https:\/\/doi.org\/10.1108\/09685220810862751","relation":{},"ISSN":["0968-5227"],"issn-type":[{"type":"print","value":"0968-5227"}],"subject":[],"published":{"date-parts":[[2008,3,21]]}}}