The SecuQUEST is based on the ISO-norm 15504, better known as SPICE (Software Process Improvement and Capability Determination). That norm is an international standard for the implementation of assessments of company procedures.
This norm is enforced by means of the QUEST method which has been developed at the university of Graz. The philosophy behind secuQUEST is on the one hand the idea of self-assessments and on the other hand the realization of a continuous improvement process.
In the case of a self-assessment it is not an external consultant who valuates the company but it’s employees themselves. With the help of the electronic SecuQUEST questionnaire and the resulting discussion, the weaknesses in the security-architecture of the company will be revealed.
Thereby the SecuQUEST method tries to obtain a maximal concentration of useful information by avoiding irritating questions. Thus complicated questioning is replaced by short questions with several attributes.
Through the continuous improvement process SecuQUEST assures that the compilation of the security architecture is not a punctual event. In fact the security architecture has to continuously be kept up-to-date and has to be reevaluated in regular intervals. In this way SecuQUEST ensures that the security architecture permanently demonstrates a high quality.
The assessment itself is carried out in small groups with up to 6 people. The team members ideally come from different levels of the company (management, engineers, secretary, cleaning staff, etc.) Through the utilization of several different sources of information the objectivity of the answers is assured. Furthermore the employee’s latent knowledge of security topics can be unleashed best possible in that way.