Information Security
Provide oversight, processes, and tools to enable the security, availability, integrity, and accessibility of information throughout its life cycles.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Information Security at each level of maturity.
- 1Initial
- Practice
- Use data and information security on a case by case basis.
- Outcome
- Application of security appropriate to the data and information is limited or ad hoc.
- Metric
- % PCs without anti-virus protection
- 2Basic
- Practices
- Document data and information security approaches and policies.
- Separate administrative and user access rights and manage them through separate people and or software layers.
- Develop and use access controls for sensitive systems like payroll and benefits and others that warrant inclusion based on their business context.
- Outcomes
- Appropriate levels of security can be applied to some data and information.
- Access and identity management exists for sensitive systems.
- Metrics
- # Systems with access controls.
- # People provided security training.
- % Systems with virus and firewall protection.
- % network devices with managed firewalls.
- # Security logs maintained and managed.
- % Personal and sensitive data encrypted.
- 3Intermediate
- Practices
- Have management ensure that the data and information stewardship roles are defined and that trained staff are assigned to these roles.
- Assess and implement a training plan for stewardship roles.
- Make security awareness training available to all staff.
- Define and implement data classifications for security.
- Have data and information owners and relevant stakeholders agree on security needs based on data and information classification and organisation's policies and procedures.
- Occasionally test recovery plans.
- Outcomes
- Data and information stewardship roles exist and staff are being trained to provide a competent service.
- A cultural shift in mind-set change towards improved security behaviour is ensuing from staff training and policy breaches are less frequent.
- The sensitivity and security requirements for different data is widely understood.
- Security is applied to data based on classification and policies relating to confidentiality, integrity and availability.
- Metrics
- # Systems with access controls.
- # People provided security training.
- # People in roles that need identified training.
- % Systems with virus and firewall protection.
- % network devices with managed firewalls.
- # Security logs maintained and managed.
- # Count of policy breaches.
- # Count of security incident by severity.
- # Systems with outstanding security patch needs.
- # Network devices with outstanding security patch needs.
- 4Advanced
- Practices
- Test the recovery plan regularly.
- Assess and implement a training plan for stewardship roles.
- Involve data and information stakeholders in risk assessment specific to their data and information.
- Have business and IT collaborate on data inventory and life cycle management as well as its classifications.
- Define permissions and roles that are supported by the data and information architecture.
- Test and monitor data and information security implementation.
- Outcomes
- Data and information stewardship roles exist and that are receiving advanced trained to provide a competent service.
- A cultural shift in mind-set change towards improved security behaviour is ensuing from staff training and policy breaches are less frequent.
- The sensitivity and security requirements for different data and information is widely understood.
- Security is applied based on valid business risk assessment.
- Appropriate levels of security can be applied based on the classifications for the data and information.
- Data and information are accessed, used, and maintained by authorised applications only.
- A security architecture view of the organization exists.
- Organisation has confidence that appropriate levels of security are applied and effective.
- Metrics
- # Systems with access controls.
- # People provided security training.
- # People in roles that need identified training.
- % Systems with virus and firewall protection.
- % network devices with managed firewalls.
- # Security logs maintained and managed.
- # Count of policy breaches.
- # Count of security incident by severity.
- # Systems with outstanding security patch needs.
- # Network devices with outstanding security patch needs.
- # Security test failures.
- 5Optimized
- Practices
- Plan security across the business ecosystem.
- Enable security at the required granularity in systems, solutions design, and architecture.
- Adjust security requirements based on changing data and information value or in response to events or changing situational awareness.
- Review and improve data and information security regularly.
- Outcomes
- Data and information stewardship roles exist and staff are receiving the latest and best training available to provide a competent service.
- A cultural shift in mind-set change towards improved security behaviour is ensuing from staff training and policy breaches are less frequent.
- The sensitivity and security requirements for different data and information is widely understood.
- Data and information security can be managed and applied effectively and efficiently.
- A security architecture view of the organization exists.
- Applied controls are appropriate to specific data and information.
- Data security is optimised and appropriate to specific data and information types.
- Metrics
- # Systems with access controls.
- # People provided security training.
- # People in roles that need identified training.
- % Systems with virus and firewall protection.
- % network device devices with managed firewalls.
- # Security logs maintained and managed.
- # Count of policy breaches.
- # Count of security incident by severity.
- # Systems with outstanding security patch needs.
- # Network devices with outstanding security patch needs.
- # Security test failures.