This article presents a standard approach to increasing the security capability of a typical IT function. This five level model involves the development of a common set of security best practices, which are then deployed in a staged fashion to leverage an optimal security capability across the organization. At the lowest level the organization will have minimal assurance of security capability. At the highest level the organization can be trusted to produce products and provide services that are both dependable and secure. The article presents the practices and the maturity framework. It also discusses the practical mechanisms for implementing this model in a real world setting.