Maturity Levels¶
Maturity levels represent the completeness percentage of the cartography. It is an indicator of the remaining effort required to achieve a complete mapping, in accordance with the recommendations of the ANSSI Information System Mapping Guide.
This maturity is divided into three levels:
- Level 1 minimum granularity, which contains the information essential to the cartography;
- Level 2 intermediate granularity, which contains the information important to the cartography;
- Level 3 fine granularity, which contains the information useful for managing the security of the information system.
Meaning of Fields Marked with a Hash (#)¶
Some field labels are followed by an # symbol in orange. These markers indicate that the field contributes to the calculation of the cartography maturity level, according to the relevant level:
| Marker | Meaning |
|---|---|
# |
Field contributing to maturity level 1 — minimum granularity |
## |
Field contributing to maturity level 2 — intermediate granularity |
### |
Field contributing to maturity level 3 — fine granularity |
Calculating the Maturity Level¶
An element is considered compliant when all fields marked # corresponding to the target level are
filled in and the expected links with other cartography elements have been established.
An element is considered non-compliant when:
- a field marked
#is empty or not filled in (e.g., missing description or owner), - an expected link to another element is missing (e.g., an application not supporting any business process, a server not associated with any application).
The maturity level is calculated using the following formula:
Maturity level (%) = (Number of compliant elements / Total number of elements)
Visual Identification of Non-Compliant Elements¶
In lists, non-compliant entries are highlighted in yellow, indicating that at least one field marked #
has not been filled in. This allows quick identification of elements requiring particular attention in order
to progress toward a complete cartography.
Compliance fields¶
The calculation of conformity levels for each mapping object is based on the presence of the following elements:
| Object | Level | Required elements |
|---|---|---|
| Ecosystem | ||
| Entities | 1 | Description, security level, point of contact, at least one process |
| Relationships | 1 | Description, type |
| Relationships | 2 | Importance |
| Business | ||
| Macro-processes | 2 | Description, io_elements, security levels |
| Macro-processes | 3 | Responsible |
| Process | 1 | Description, input-output, responsible |
| Process | 2 | Macro-processes, security requirements |
| Activities | 2 | Description |
| Operations | 1 | Description |
| Operations | 2 | Actors |
| Operations | 3 | Tasks |
| Tasks | 3 | Description |
| Actor | 2 | Contact, nature, type |
| Information | 1 | Description, owner, administrator, storage |
| Information | 2 | Security Requirements, Sensitivity |
| Information system | ||
| Application block | 2 | Description, responsible, applications |
| Applications | 1 | Description, technology, type, users, process |
| Applications | 2 | Responsible, responsible entity, security levels |
| Application Services | 2 | Description, applications |
| Application Modules | 2 | Description |
| Database | 1 | Description, type, responsible entity, responsible person |
| Database | 2 | Security requirements |
| Flows | 1 | Description, source, destination |
| Administration | ||
| Zones | 1 | Description |
| Directories | 1 | Description, solution, administration area |
| Forest | 1 | Description, administration area |
| Domains | 1 | Description, domain controller, number of users, number of machines, inter-domain relationship |
| Logical | ||
| Networks | 1 | Description, manager, security manager, security requirements |
| Subnets | 1 | Description, address, default gateway, IP allocation type, DMZ, WiFi, VLAN |
| Gateways | 1 | Description, authentication, IP range |
| Connected external devices | 2 | Type, contacts |
| Switches | 1 | Description |
| Routers | 1 | Description |
| Security devices | 1 | Description |
| Clusters | 1 | Description, type |
| Logical servers | 1 | Description, OS, environment, IP address, applications, physical servers or clusters |
| VLans | 1 | Description |
| Certificates | 2 | Description, Type, validity start date, validity end date, applications or logical server |
| Physical infrastructure | ||
| Sites | 1 | Description |
| Buildings | 1 | Description |
| Bays | 1 | Description |
| Physical servers | 1 | Description, configuration, site, building, responsible |
| Workstations | 1 | Description, site, building |
| Telephones | 1 | Description, site, building |
| Storage | 1 | Description, site, building |
| Peripherals | 1 | Description, site, building, responsible |
| Physical switches | 1 | Description, type, site, building |
| Physical routers | 1 | Description, type, site, building |
| WiFi terminals | 1 | Description, type, site, building |
| Physical security devices | 1 | Description, type, site, building |
| LANs | 1 | Description |
Security needs¶
Information security needs are expressed in terms of confidentiality, integrity, availability and traceability with the following scale:
Security Classification (CIDT)¶
| Classification | Type | Description |
|---|---|---|
| Confidentiality | C | Protects information from unauthorized access or disclosure. The goal is to ensure that only authorized individuals can view the data. Examples: passwords, personal data, sensitive documents. |
| Integrity | I | Ensures that information is accurate, complete, and unaltered. The goal is to prevent unauthorized or accidental modification of data. Examples: preventing data corruption, blocking unauthorized changes. |
| Availability | D | Ensures that information and services are accessible whenever needed. If a system is unavailable, it becomes unusable. Examples: outages, DDoS attacks, unplanned maintenance. |
| Traceability | T | Ensures the ability to track who did what, when, and how. Relies on logging, auditing, and user identification. Examples: access logs, action history, security audits. |
Security levels¶
| Level | Description | Color |
|---|---|---|
| 0 | Insignificant | White |
| 1 | Low | Green |
| 2 | Medium | Yellow |
| 3 | Strong | Orange |
| 4 | Very strong | Red |