The Web3 Security Maturity Model, developed by Filecoin Foundation’s security team, is a comprehensive framework designed for decentralized technology organizations and projects. It allows anyone to perform a structured self-assessment with the goal of helping Web3 contributors better evaluate and enhance their security posture across all aspects of development and operations.
Tailored Security Maturity
How to Leverage the Model
The Web3 Security Maturity Model is broken up into 9 core functions. Each core function is divided into functional areas that are broken into two streams with control criteria.
This maturity framework does not require all organizations to achieve the maximum maturity level in every category. Instead, it allows organizations to define and measure their security activities in a way that is tailored to their specific needs, and it encourages organizations, projects, and users to adapt the framework based on their unique environment, goals, and existing security maturity.
1
Level 1: Initial and Ad-hoc
Represents an initial awareness and a basic understanding of the concept being evaluated (e.g., security culture). There is minimal formalization and process/documentation may not exist.
2
Level 2: Defined and Repeatable
Indicates that structured programs are in place, aimed at promoting, reinforcing, and sustaining the practices necessary to support the area being evaluated. There is an emphasis on proactive capabilities in security.
3
Level 3: Optimized and Measurable
Reflects a focus on continuous improvement. Practitioners use metrics and feedback loops to refine their security processes and practices constantly. Capabilities are driven by data and metrics to make informed security decisions, and there is a focus on optimizing security efforts based on evolving threats and lessons learned.
A team or individual is available to drive the security program
Level 1: Is there an initial awareness and understanding of security culture within the organization?
Level 2: Are structured programs in place for promoting and reinforcing a strong security culture?
Level 3: Is there a pervasive, deeply ingrained security culture, actively supported and enhanced by all team members?
1.2 Vision Communication
A formal reference for security vision or mission statement exists for the organization/project
Organizational or project goals are clearly defined
Stakeholders for security decisions are defined
Level 1: Is the security vision clearly defined and communicated within the organization?
Level 2: Is the security vision integrated into broader organizational goals and regularly reinforced through communication?
Level 3: Is there ongoing, dynamic communication about the security vision, including feedback loops with various stakeholders?
2. Organizational Structure for Web3 Security
2.1 Structure Adaptation
The organizational structure considers the challenges of distributed teams such as timezones, equipment, events, and physical access to technology
Staff and personnel are clearly delineated from contributors
Input from a greater ecosystem or community is considered in developing organizational structure
Partnerships and related organizations are clearly defined
Level 1: Is there a basic structure in place that supports Web3 security needs?
Level 2: Does the organizational structure adapt to evolving Web3 security challenges and integrate cross-functional teams?
Level 3: Is the structure highly adaptive, promoting agility and rapid response to Web3 security trends and threats?
2.2 Role and Responsibility Clarity
Clear documentation of security roles/responsibilities
Regular updates and communication about role changes and security updates
Established channels for udpates and feedback
Level 1: Are basic roles and responsibilities for security defined within the organization?
Level 2: Are roles and responsibilities for security clearly detailed, communicated, and understood across the organization?
Level 3: Is there a high level of role clarity, with ongoing refinement and alignment of responsibilities as the organization evolves?
3. Performance Metrics and Continuous Improvement
3.1 Metric Development and Tracking
Metrics are defined for tracking security and security activities
Systems exist to track security metrics and objectives
There is a regular review of collected data
Level 1: Are basic performance metrics for security established and tracked?
Level 2: Are these metrics regularly reviewed and used to guide decision-making?
Level 3: Are there advanced, comprehensive metrics in place, covering diverse aspects of security, and regularly used for strategic planning?
3.2 Improvement Initiatives
A roadmap for security exists alongside the security strategy
The roadmap is objectively measurable
Stakeholders have approved or agreed to the roadmap for security
Level 1: Are there initial efforts to identify and implement security improvement initiatives?
Level 2: Is there a structured process for regularly initiating, tracking, and reviewing improvement projects?
Level 3: Is there an established culture of continuous improvement, with initiatives systematically integrated and aligned with organizational learning?
You’ve adopted a set of standards that are aligned with organizational or project goals
Level 1: Are there initial policies established to govern decentralization aspects of the project?
Level 2: Are these policies regularly reviewed and enforced with clear mechanisms and accountability?
Level 3: Is there a comprehensive, dynamic approach to policy creation and enforcement, regularly updated to reflect evolving decentralization challenges?
1.2 Community Involvement
You have initiated relationships or communication with the greater ecosystem or community
Level 1: Is there basic involvement of the community in the governance process?
Level 2: Is community feedback systematically integrated into governance decisions and policy developments?
Level 3: Is there a robust, continuous engagement with the community, driving governance policies with active participation and co-creation?
2. Compliance and Legal Frameworks
2.1 Regulatory Alignment
You have established a list of regulatory considerations for your project or organization
Level 1: Are there efforts to understand and align with basic regulatory requirements?
Level 2: Is there a structured process for ensuring ongoing compliance with a wider range of regulatory frameworks?
Level 3: Is there a proactive approach to regulatory alignment, including anticipation of future regulations and active involvement in regulatory discussions?
2.2 Legal Risk Assessment
You have engaged legal counsel to determine legal responsibilities and risks
Level 1: Is there a basic assessment of legal risks associated with the project's operations?
Level 2: Are legal risks systematically identified, assessed, and integrated into broader risk management processes?
Level 3: Is there an advanced, proactive approach to legal risk assessment, including regular updates and adaptations to legal strategies based on emerging trends?
3. Policy Maturity Assessment
3.1 Policy Review Process
You have a set of policies available fro review
You have reviewed these processes at some point after their creation
Level 1: Is there a basic process in place for the review of existing policies?
Level 2: Are policy reviews conducted regularly with documented processes and stakeholder involvement?
Level 3: Is there a sophisticated, iterative process for policy review, incorporating diverse inputs and continuous learning?
3.2 Adaptation to Emerging Threats
You are aware of emerging threats for your ecosystem or project
You have addressed one of these threats with your teams or ecosystem
Level 1: Are policies occasionally updated to address new or emerging threats?
Level 2: Is there a structured approach to regularly adapt policies in response to evolving security landscapes?
Level 3: Is there a proactive, anticipatory strategy in place for adapting policies, ensuring agility and responsiveness to future threats and challenges?
You’ve identified security risks within the organization
You are actively considering risk in business decisions
Level 1: Are basic methods in place for identifying risks, with an initial risk register established?
Level 2: Is the risk register regularly updated with identified risks using systematic methods and tools?
Level 3: Is there a comprehensive, proactive approach for risk identification, with an advanced, constantly updated risk register incorporating community and stakeholder feedback?
1.2 Risk Prioritization
You’ve measured your risks and are tracking them in a central location
You have a risk register and method of classification of risks
Level 1: Are risks prioritized in the risk register based on basic criteria such as likelihood and impact?
Level 2: Is there a formal, documented process for risk ranking in the risk register, involving consensus building among stakeholders?
Level 3: Are risk prioritization processes in the register regularly reviewed and refined, incorporating changing risk landscapes and stakeholder insights?
2. Risk Mitigation and Management
2.1 Mitigation Strategies
You’ve mitigated risks discovered in a risk register
You tested for complete mitigation of the risk
You have a plan for addressing identified risks
Level 1: Are basic mitigation strategies identified for risks in the risk register and implemented?
Level 2: Are mitigation strategies in the register regularly tested for effectiveness, with clear accountability assigned?
Level 3: Is there a comprehensive mechanism for continuous improvement of mitigation strategies in the risk register, integrating feedback loops and best practices?
2.2 Continuous Risk Monitoring
You are monitoring risks identified in a risk register and have checked in on their status at least once
Level 1: Are there initial systems for ongoing monitoring of risks in the risk register?
Level 2: Is there an advanced, structured approach for continuous monitoring of risks in the register with clear reporting protocols?
Level 3: Are comprehensive tools and technologies employed for real-time monitoring of the risk register, with sophisticated processes for risk reporting and effectiveness evaluations?
You have a method of tracking users or identities within your org or project by alias or identity
You have a method of integrating authentication mechanisms into your technical and business or project workflows
Level 1: Is there a basic system for user authentication, possibly using common credentials or simple key-based access for participants?
Level 2: Are there more advanced, multi-factor authentication systems in place, catering to the decentralized and pseudonymous nature of users, while ensuring secure access control?
Level 3: Is there a sophisticated, dynamic authentication and authorization system that adapts to user roles and contexts, integrating decentralized identity solutions where applicable?
1.2 Privilege Management
You have identified roles for each person in the project or org
There is some separation of roles / permissions for identities
Level 1: Are basic privileges assigned based on user roles, even if these roles are not tied to real-world identities?
Level 2: Is there an advanced system for managing privileges that reflects the dynamic and distributed nature of the team, with periodic reviews?
Level 3: Are privilege management processes highly evolved, with automated role-based access control and continuous monitoring for anomalous access patterns?
2. Identity Verification and Management
2.1 Identity Proofing and Verification
You can verify authenticity of identities within your workflows
Level 1: Is there a basic form of identity proofing, possibly relying on community reputation or existing trust networks?
Level 2: Are there more structured identity verification processes that balance the need for some form of reliable identification with the respect for pseudonymity?
Level 3: Is there a comprehensive identity verification system that effectively manages risk while accommodating the decentralized, pseudonymous nature of the community?
2.2 Identity Lifecycle Management
There is a method for provisioning and deprovisioning identities or accounts
Level 1: Is there an initial process for managing the lifecycle of identities (creation, maintenance, deletion) in a decentralized environment?
Level 2: Are there advanced processes in place for systematically managing the identity lifecycle, including periodic verification and adjustment of access rights?
Level 3: Is the identity lifecycle management process fully integrated, featuring continuous updating and refinement, and leveraging decentralized technologies where appropriate?
There is some mechanism of tracking at least one of these business assets
Level 1: Is there a basic process in place to catalog digital assets, identifying key assets within the organization?
Level 2: Are cataloging processes more refined, with comprehensive documentation of digital assets, including those in decentralized environments?
Level 3: Is there an advanced, automated system for asset cataloging, continuously updated and integrated with other asset management systems?
1.2 Asset Classification
Assets can be divided by intent, responsibility, and purpose
Level 1: Are digital assets classified into basic categories based on their type or purpose?
Level 2: Is there a more detailed classification system, considering factors like criticality, sensitivity, and regulatory requirements?
Level 3: Is asset classification highly sophisticated, with dynamic categorization that adapts to changes in the asset's use or environment?
2. Asset Lifecycle Management
2.1 Lifecycle Process Definition
There is a method for provisioning and deprovisioning assets
There is an asset inventory
Level 1: Is there a basic definition of the lifecycle stages for digital assets?
Level 2: Are lifecycle processes more developed, with clear guidelines and procedures for each stage of the asset's lifecycle?
Level 3: Is there a comprehensive and dynamic management of the asset lifecycle, with automated processes and continuous refinement based on asset performance and feedback?
2.2 Lifecycle Compliance Monitoring
There are compliance, regulatory, or framework requirements for monitoring
There is a method for tracking these requirements
Level 1: Is there a basic monitoring system in place to ensure compliance with defined lifecycle processes?
Level 2: Are monitoring processes more advanced, with regular reviews and audits to ensure lifecycle compliance?
Level 3: Is lifecycle compliance monitoring highly integrated with other asset management systems, featuring real-time monitoring and proactive compliance enforcement?
There is an understanding of privacy laws required by the organization or project
There is a need to adhere to specific privacy laws within a region or customer base
Level 1: Is there basic awareness and compliance with major privacy laws relevant to the organization's operations?
Level 2: Are compliance processes more comprehensive, covering a wider range of laws and regulations, and regularly reviewed?
Level 3: Is there an advanced, proactive system for privacy compliance, including regular audits and updates to address new regulations and global standards?
1.2 Data Minimization and Retention
There is a need to handle or control data in a structured way
There is a capability to apply retention policies against data
Data can be separated by classification
Level 1: Are there initial policies in place focusing on data minimization and defining basic data retention periods?
Level 2: Are data minimization and retention policies more detailed, adhering to best practices and specific regulatory requirements?
Level 3: Is there a sophisticated approach to data minimization and retention, with ongoing evaluation and adaptation of policies based on data lifecycle and privacy impact assessments?
2. Data Security and Encryption
2.1 Implementation of Encryption
There is a method for encrypting data
There is a basic understanding of cryptographic functions and algorithms
Level 1: Is basic encryption used for sensitive data, particularly data at rest and in transit?
Level 2: Are encryption practices more refined, employing stronger and more diverse encryption standards tailored to different types of data and transmission?
Level 3: Is the implementation of encryption advanced, using state-of-the-art encryption technologies and regularly updated to counteract emerging threats and vulnerabilities?
2.2 Access Control to Sensitive Data
There is a method for applying access control to sensitive data
There is an understanding of roles and responsibilities for data within the organization or project
Level 1: Are there basic access controls in place to limit access to sensitive data?
Level 2: Are access control mechanisms more sophisticated, including role-based access controls and periodic access reviews?
Level 3: Is there a comprehensive, dynamic access control system, utilizing advanced techniques like context-aware and conditional access policies, continuously monitored and refined?
Security is considered formally for the contracts being developed for the application
Security is considered for DApp front ends if they exist
Some element of security function is applied to DApps
Level 1: Are there initial best practices identified and implemented for the security of Decentralized Applications (DApps)?
Level 2: Are these best practices more comprehensive, regularly updated, and aligned with emerging security trends in the decentralized space?
Level 3: Is there an advanced set of best practices, widely recognized and adhered to, with proactive measures to anticipate and address future security challenges in DApp development?
1.2 Smart Contract Security
Contracts are reviewed for security in some way
Audits have been conducted or are planned for the contracts associated with the project or team
There is internal knowledge of smart contract security and best practices
Level 1: Is basic security in place for smart contracts, such as using known patterns and simple audits?
Level 2: Are smart contract security measures more rigorous, including thorough audits, formal verification, and vulnerability scanning?
Level 3: Is there a sophisticated, continuous security process for smart contracts, employing cutting-edge tools and practices, and integrating community feedback for ongoing improvement?
2. Third-party Code Review
2.1 Review Procedures
Code reviews are conducted for third party components
There is an inventory of third party components available
Level 1: Are there basic procedures in place for the review of third-party code, focusing on major known vulnerabilities?
Level 2: Are review procedures more comprehensive, regularly updated, and include systematic checks for a broader range of security issues?
Level 3: Is there a highly advanced code review process, integrating automated tools, continuous integration checks, and peer review systems?
2.2 Community-Based Reviews
There is engagement with the community to peer review third party code
There are published issues or vulnerabilities for the third party
Level 1: Is there an initial engagement with the community for code review on an ad-hoc basis?
Level 2: Are community-based reviews more structured and regularly solicited, with clear guidelines and incentives for community participation such as a bug bounty program?
Level 3: Is there an established, robust community review ecosystem, with ongoing interaction, collaboration, and recognition systems to encourage active community involvement?
3. Security in Project Stewardship
3.1 Advisory Standards
Standards exist for extended ecosystem of the project
There have been submissions from the project or organization to the greater ecosystem
There is some engagement with the greater community
Level 1: Are basic advisory standards in place for guiding projects on security matters?
Level 2: Are these standards more detailed, tailored to various types of projects, and regularly reviewed for relevance and effectiveness?
Level 3: Are advisory practices highly advanced, regarded as industry standards, and include a proactive approach to advising on emerging security threats and technologies?
3.2 Feedback and Improvement Loop
The project or organization is accepting of feedback from external stakeholders
Feedback has been or is planned for incorporation into the product
Level 1: Is there a basic process for receiving and incorporating feedback into security advisory practices?
Level 2: Is feedback systematically solicited and analyzed, with structured mechanisms for integrating insights into continuous improvement of advisory services?
Level 3: Is there a mature, dynamic feedback and improvement system, deeply integrated into the stewardship approach, fostering ongoing adaptation and enhancement of security advisory services?
You have created some type of documentation around your development process
You have a development process that can be described as structured
Level 1: Is there a basic level of security documentation developed, covering key security processes and policies?
Level 2: Are documentation practices more comprehensive and detailed, covering a wide range of security topics relevant to the organization?
Level 3: Is there a sophisticated, dynamic documentation system, regularly updated with the latest security information and best practices?
1.2 Accessibility and Clarity
Your documentation is available in an accessible location to your developers or stakeholders
Level 1: Is the security documentation easily accessible to relevant stakeholders, and written in a clear, understandable manner?
Level 2: Are there efforts to enhance the clarity and accessibility of documentation, including tailoring it to different audience groups?
Level 3: Is documentation highly accessible, user-friendly, and effectively communicated across diverse platforms, ensuring wide reach and comprehension?
2. Community Engagement and Outreach
2.1 Community Engagement Initiatives
You have engaged your community and/or constituents in order to solicit feedback around security matters
These engagements cover security as a topic
Level 1: Are there initial initiatives for engaging with the broader community on security matters?
Level 2: Are community engagement initiatives more structured and regular, covering various forums and platforms?
Level 3: Is there a robust, ongoing community engagement strategy, fostering strong relationships and active collaboration on security issues?
2.2 Public Security Awareness
You are publishing or showcasing security on a regular basis, at least annually for your community or internal teams
The community is aware of these publications and they are easily accessible
Level 1: Is there a basic effort to raise security awareness among the public or within the community?
Level 2: Are these efforts more targeted and extensive, using a variety of channels and methods to reach a broader audience?
Level 3: Is there a comprehensive approach to public security awareness, regularly updated and tailored to address emerging security challenges and trends?
3. Developer Security Education
3.1 Educational Resources and Training
You have created resources and/or programs for developers in your ecosystem including but not limited to whitepapers, blogs, training documents, videos, or other mediums for training
Level 1: Are there basic educational resources and training programs in place for developers on security topics?
Level 2: Is developer training more advanced, covering a wide range of security topics, with regular updates and refinements?
Level 3: Are there comprehensive, state-of-the-art educational programs and resources for developers, including hands-on training, workshops, and continuous learning opportunities?
3.2 Continuous Learning and Update
Training materials have been updated at least once
Level 1: Is there a process to periodically update training materials and resources?
Level 2: Are training and educational resources regularly reviewed and updated with the latest security knowledge and practices?
Level 3: Is there a sophisticated, adaptive learning ecosystem for developers, integrating the latest security advancements and feedback for continuous improvement?
You have classified an incident and responded to it
There is a basic definition or team for incident handling
You have documented a process for responding to incidents
Level 1: Are there basic incident handling procedures in place, addressing key steps to be taken during an incident?
Level 2: Are these procedures more comprehensive, detailed, and tailored to decentralized environments and the specific nature of incidents?
Level 3: Is there a sophisticated, well-documented incident handling process, regularly tested and updated, incorporating advanced tools and strategies suitable for decentralized contexts?
1.2 Cross-Team Coordination
Incident response plans or activities are not limited to one team or just the security tea
An incident response roster has been defined
Level 1: Is there a basic level of coordination among different teams during incident response, especially in a decentralized setting?
Level 2: Are coordination efforts more structured, with clear roles and communication channels established across distributed teams?
Level 3: Is there an advanced, seamless cross-team coordination mechanism, leveraging decentralized communication tools and real-time data sharing for effective incident response?
2. Incident Reporting and Transparency
2.1 Reporting Mechanisms
Incidents are tracked and reported in a unified location
Templates are defined for incident tracking
Level 1: Are there initial mechanisms in place for reporting incidents, both internally and externally where necessary?
Level 2: Are reporting mechanisms more comprehensive and systematic, ensuring timely and accurate incident reporting to all relevant stakeholders?
Level 3: Is there a sophisticated incident reporting system, providing real-time alerts and updates, with a high degree of transparency and accountability?
2.2 Community Communication
Communication channels for incidents are defined
There is a method for triggering an incident
A marketing team or person dedicated to external comms is part of the incident response team
Level 1: Is there a basic process for communicating incident-related information to the broader community?
Level 2: Are these communication efforts more structured and frequent, ensuring the community is well-informed and trust is maintained?
Level 3: Is there a proactive, continuous community communication strategy, incorporating feedback mechanisms and fostering open dialogue about incidents and responses?
3. Post-Incident Analysis
3.1 Analysis and Lessons Learned
A retrospective has been conducted for an incident
The retrospective was or is documented
Level 1: Is there a basic process for analyzing incidents post-resolution and extracting key lessons?
Level 2: Are post-incident analyses more detailed, leading to actionable insights and systematic improvements?
Level 3: Is there a comprehensive, iterative process for post-incident analysis, integrating advanced analytics, and consistently applying lessons learned for continuous improvement?
3.2 Feedback Integration
Information from the retrospective was positively included in the response process
Level 1: Is there a mechanism to capture feedback from incident responses and integrate it into future plans?
Level 2: Are feedback integration processes more structured, ensuring that all insights from incidents are systematically used to enhance response strategies?
Level 3: Is there a dynamic, ongoing feedback integration system, fostering a culture of learning and adaptability across the organization?
