IVI Framework Viewer

Representative POMs are described for Controls at each level of maturity.

1Initial

• Practices

  • Define access to systems and data to meet specific purposes.
  • Define and implement controls to meet specific purposes.

  Outcomes

  • System and data access is inconsistent and/or inefficient.
  • Controls are often inappropriate, ineffective and/or inefficient.

  Metrics

  • A ratio of systems and data sources to which ANY access controls exists vs. those which no access control exists, e.g.: access is either defined by a generic role requirement or is undefined (i.e.: everyone, or large numbers have access for no apparent reason).
  • % of identified risks for which controls exist (risk may be the movement of data to an insecure device, e.g.: USB disk; a control prevents it from happening)

2Basic

• Practices

  • Define access to systems and data criteria based on data value and position in life cycle(s).
  • Define controls and control test methods and begin testing.

  Outcomes

  • Increasing confidence that data is being appropriately protected.
  • Confidence that appropriate and effective controls are being applied to some data.

  Metrics

  • A ratio of systems and data sources to which basic controls exists vs. those which specific control exists, e.g.: access is either defined by a generic role requirement or by a specific role requirement.
  • Generic roles are broad and may map across multiple business units.
  • More specific roles are required to grant access only to those roles which require it.
  • % of identified risks for which tested controls exist (control must be implemented and tested).

3Intermediate

• Practices

  • Develop a formal process for agreeing, implementing and reviewing access by job role to data.
  • Use a formal process to determine relevant controls based on master data management and strategic business objectives.

  Outcomes

  • Data access is defined, applied and managed efficiently and effectively.
  • Controls are relevant to the value of data and are effective.

  Metrics

  • A ratio of systems and data sources to which basic controls exists vs. those for which specific control exists, e.g.: access is defined by a specific role in all cases, but this metric measures the iterative review part of the cycle.
  • % of identified risks for which tested controls exist that are matched to data categories.

4Advanced

• Practices

  • Develop a formal, automated process for agreeing, implementing and reviewing access by job role to data.
  • Develop and apply relevant controls based on mature risk management activities.

  Outcomes

  • Consistent and effective access management.
  • Controls can be applied efficiently and consistently.
  • Increasing control and consistency is reducing process variance and improving data quality.

  Metrics

  • A ratio of systems and data sources to which basic-time-bound manual control exists vs. those with automated control/expiry of access.
  • % of identified risks for which tested controls exist that are developed by risk management process

5Optimized

• Practices

  • Determine and apply access controls across the business ecosystem that are efficient and effective.
  • Determine controls based on evolving strategic, risk and technical factors.
  • Automate the application of controls based on agreed risk tolerance factors.

  Outcomes

  • Consistent and effective access management across the business ecosystem.
  • Controls are effective and efficient across the business ecosystem.

  Metrics

  • A ratio of business units which have adopted specific-time-bound controls with automated expiry of access versus those without automated expiry.
  • % of identified risks for which tested, automated controls exist that are developed by evolving factors.