Controls
Establish a control framework for information management, which may include ways to monitor effectiveness and efficiency, manage change, and control access, as well as guidance on data and information use.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Controls at each level of maturity.
- 1Initial
- Practices
- Define access to systems and data to meet specific purposes.
- Define and implement controls to meet specific purposes.
- Outcomes
- System and data access is inconsistent and/or inefficient.
- Controls are often inappropriate, ineffective and/or inefficient.
- Metrics
- A ratio of systems and data sources to which ANY access controls exists vs. those which no access control exists, e.g.: access is either defined by a generic role requirement or is undefined (i.e.: everyone, or large numbers have access for no apparent reason).
- % of identified risks for which controls exist (risk may be the movement of data to an insecure device, e.g.: USB disk; a control prevents it from happening)
- 2Basic
- Practices
- Define access to systems and data criteria based on data value and position in life cycle(s).
- Define controls and control test methods and begin testing.
- Outcomes
- Increasing confidence that data is being appropriately protected.
- Confidence that appropriate and effective controls are being applied to some data.
- Metrics
- A ratio of systems and data sources to which basic controls exists vs. those which specific control exists, e.g.: access is either defined by a generic role requirement or by a specific role requirement.
- Generic roles are broad and may map across multiple business units.
- More specific roles are required to grant access only to those roles which require it.
- % of identified risks for which tested controls exist (control must be implemented and tested).
- 3Intermediate
- Practices
- Develop a formal process for agreeing, implementing and reviewing access by job role to data.
- Use a formal process to determine relevant controls based on master data management and strategic business objectives.
- Outcomes
- Data access is defined, applied and managed efficiently and effectively.
- Controls are relevant to the value of data and are effective.
- Metrics
- A ratio of systems and data sources to which basic controls exists vs. those for which specific control exists, e.g.: access is defined by a specific role in all cases, but this metric measures the iterative review part of the cycle.
- % of identified risks for which tested controls exist that are matched to data categories.
- 4Advanced
- Practices
- Develop a formal, automated process for agreeing, implementing and reviewing access by job role to data.
- Develop and apply relevant controls based on mature risk management activities.
- Outcomes
- Consistent and effective access management.
- Controls can be applied efficiently and consistently.
- Increasing control and consistency is reducing process variance and improving data quality.
- Metrics
- A ratio of systems and data sources to which basic-time-bound manual control exists vs. those with automated control/expiry of access.
- % of identified risks for which tested controls exist that are developed by risk management process
- 5Optimized
- Practices
- Determine and apply access controls across the business ecosystem that are efficient and effective.
- Determine controls based on evolving strategic, risk and technical factors.
- Automate the application of controls based on agreed risk tolerance factors.
- Outcomes
- Consistent and effective access management across the business ecosystem.
- Controls are effective and efficient across the business ecosystem.
- Metrics
- A ratio of business units which have adopted specific-time-bound controls with automated expiry of access versus those without automated expiry.
- % of identified risks for which tested, automated controls exist that are developed by evolving factors.