IVI Framework Viewer

Representative POMs are described for Information Security at each level of maturity.

1Initial

• Practice

  Use data and information security on a case by case basis.

  Outcome

  Application of security appropriate to the data and information is limited or ad hoc.

  Metric

  % PCs without anti-virus protection

2Basic

• Practices

  • Document data and information security approaches and policies.
  • Separate administrative and user access rights and manage them through separate people and or software layers.
  • Develop and use access controls for sensitive systems like payroll and benefits and others that warrant inclusion based on their business context.

  Outcomes

  • Appropriate levels of security can be applied to some data and information.
  • Access and identity management exists for sensitive systems.

  Metrics

  • # Systems with access controls.
  • # People provided security training.
  • % Systems with virus and firewall protection.
  • % network devices with managed firewalls.
  • # Security logs maintained and managed.
  • % Personal and sensitive data encrypted.

3Intermediate

• Practices

  • Have management ensure that the data and information stewardship roles are defined and that trained staff are assigned to these roles.
  • Assess and implement a training plan for stewardship roles.
  • Make security awareness training available to all staff.
  • Define and implement data classifications for security.
  • Have data and information owners and relevant stakeholders agree on security needs based on data and information classification and organisation's policies and procedures.
  • Occasionally test recovery plans.

  Outcomes

  • Data and information stewardship roles exist and staff are being trained to provide a competent service.
  • A cultural shift in mind-set change towards improved security behaviour is ensuing from staff training and policy breaches are less frequent.
  • The sensitivity and security requirements for different data is widely understood.
  • Security is applied to data based on classification and policies relating to confidentiality, integrity and availability.

  Metrics

  • # Systems with access controls.
  • # People provided security training.
  • # People in roles that need identified training.
  • % Systems with virus and firewall protection.
  • % network devices with managed firewalls.
  • # Security logs maintained and managed.
  • # Count of policy breaches.
  • # Count of security incident by severity.
  • # Systems with outstanding security patch needs.
  • # Network devices with outstanding security patch needs.

4Advanced

• Practices

  • Test the recovery plan regularly.
  • Assess and implement a training plan for stewardship roles.
  • Involve data and information stakeholders in risk assessment specific to their data and information.
  • Have business and IT collaborate on data inventory and life cycle management as well as its classifications.
  • Define permissions and roles that are supported by the data and information architecture.
  • Test and monitor data and information security implementation.

  Outcomes

  • Data and information stewardship roles exist and that are receiving advanced trained to provide a competent service.
  • A cultural shift in mind-set change towards improved security behaviour is ensuing from staff training and policy breaches are less frequent.
  • The sensitivity and security requirements for different data and information is widely understood.
  • Security is applied based on valid business risk assessment.
  • Appropriate levels of security can be applied based on the classifications for the data and information.
  • Data and information are accessed, used, and maintained by authorised applications only.
  • A security architecture view of the organization exists.
  • Organisation has confidence that appropriate levels of security are applied and effective.

  Metrics

  • # Systems with access controls.
  • # People provided security training.
  • # People in roles that need identified training.
  • % Systems with virus and firewall protection.
  • % network devices with managed firewalls.
  • # Security logs maintained and managed.
  • # Count of policy breaches.
  • # Count of security incident by severity.
  • # Systems with outstanding security patch needs.
  • # Network devices with outstanding security patch needs.
  • # Security test failures.

5Optimized

• Practices

  • Plan security across the business ecosystem.
  • Enable security at the required granularity in systems, solutions design, and architecture.
  • Adjust security requirements based on changing data and information value or in response to events or changing situational awareness.
  • Review and improve data and information security regularly.

  Outcomes

  • Data and information stewardship roles exist and staff are receiving the latest and best training available to provide a competent service.
  • A cultural shift in mind-set change towards improved security behaviour is ensuing from staff training and policy breaches are less frequent.
  • The sensitivity and security requirements for different data and information is widely understood.
  • Data and information security can be managed and applied effectively and efficiently.
  • A security architecture view of the organization exists.
  • Applied controls are appropriate to specific data and information.
  • Data security is optimised and appropriate to specific data and information types.

  Metrics

  • # Systems with access controls.
  • # People provided security training.
  • # People in roles that need identified training.
  • % Systems with virus and firewall protection.
  • % network device devices with managed firewalls.
  • # Security logs maintained and managed.
  • # Count of policy breaches.
  • # Count of security incident by severity.
  • # Systems with outstanding security patch needs.
  • # Network devices with outstanding security patch needs.
  • # Security test failures.