IVI Framework Viewer

Information Security

C7

Provide oversight, processes, and tools to enable the security, availability, integrity, and accessibility of information throughout its life cycles.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Information Security at each level of maturity.

1Initial
  • Practice
    Use data and information security on a case by case basis.
    Outcome
    Application of security appropriate to the data and information is limited or ad hoc.
    Metric
    % PCs without anti-virus protection
2Basic
  • Practices
    • Document data and information security approaches and policies.
    • Separate administrative and user access rights and manage them through separate people and or software layers.
    • Develop and use access controls for sensitive systems like payroll and benefits and others that warrant inclusion based on their business context.
    Outcomes
    • Appropriate levels of security can be applied to some data and information.
    • Access and identity management exists for sensitive systems.
    Metrics
    • # Systems with access controls.
    • # People provided security training.
    • % Systems with virus and firewall protection.
    • % network devices with managed firewalls.
    • # Security logs maintained and managed.
    • % Personal and sensitive data encrypted.
3Intermediate
  • Practices
    • Have management ensure that the data and information stewardship roles are defined and that trained staff are assigned to these roles.
    • Assess and implement a training plan for stewardship roles.
    • Make security awareness training available to all staff.
    • Define and implement data classifications for security.
    • Have data and information owners and relevant stakeholders agree on security needs based on data and information classification and organisation's policies and procedures.
    • Occasionally test recovery plans.
    Outcomes
    • Data and information stewardship roles exist and staff are being trained to provide a competent service.
    • A cultural shift in mind-set change towards improved security behaviour is ensuing from staff training and policy breaches are less frequent.
    • The sensitivity and security requirements for different data is widely understood.
    • Security is applied to data based on classification and policies relating to confidentiality, integrity and availability.
    Metrics
    • # Systems with access controls.
    • # People provided security training.
    • # People in roles that need identified training.
    • % Systems with virus and firewall protection.
    • % network devices with managed firewalls.
    • # Security logs maintained and managed.
    • # Count of policy breaches.
    • # Count of security incident by severity.
    • # Systems with outstanding security patch needs.
    • # Network devices with outstanding security patch needs.
4Advanced
  • Practices
    • Test the recovery plan regularly.
    • Assess and implement a training plan for stewardship roles.
    • Involve data and information stakeholders in risk assessment specific to their data and information.
    • Have business and IT collaborate on data inventory and life cycle management as well as its classifications.
    • Define permissions and roles that are supported by the data and information architecture.
    • Test and monitor data and information security implementation.
    Outcomes
    • Data and information stewardship roles exist and that are receiving advanced trained to provide a competent service.
    • A cultural shift in mind-set change towards improved security behaviour is ensuing from staff training and policy breaches are less frequent.
    • The sensitivity and security requirements for different data and information is widely understood.
    • Security is applied based on valid business risk assessment.
    • Appropriate levels of security can be applied based on the classifications for the data and information.
    • Data and information are accessed, used, and maintained by authorised applications only.
    • A security architecture view of the organization exists.
    • Organisation has confidence that appropriate levels of security are applied and effective.
    Metrics
    • # Systems with access controls.
    • # People provided security training.
    • # People in roles that need identified training.
    • % Systems with virus and firewall protection.
    • % network devices with managed firewalls.
    • # Security logs maintained and managed.
    • # Count of policy breaches.
    • # Count of security incident by severity.
    • # Systems with outstanding security patch needs.
    • # Network devices with outstanding security patch needs.
    • # Security test failures.
5Optimized
  • Practices
    • Plan security across the business ecosystem.
    • Enable security at the required granularity in systems, solutions design, and architecture.
    • Adjust security requirements based on changing data and information value or in response to events or changing situational awareness.
    • Review and improve data and information security regularly.
    Outcomes
    • Data and information stewardship roles exist and staff are receiving the latest and best training available to provide a competent service.
    • A cultural shift in mind-set change towards improved security behaviour is ensuing from staff training and policy breaches are less frequent.
    • The sensitivity and security requirements for different data and information is widely understood.
    • Data and information security can be managed and applied effectively and efficiently.
    • A security architecture view of the organization exists.
    • Applied controls are appropriate to specific data and information.
    • Data security is optimised and appropriate to specific data and information types.
    Metrics
    • # Systems with access controls.
    • # People provided security training.
    • # People in roles that need identified training.
    • % Systems with virus and firewall protection.
    • % network device devices with managed firewalls.
    • # Security logs maintained and managed.
    • # Count of policy breaches.
    • # Count of security incident by severity.
    • # Systems with outstanding security patch needs.
    • # Network devices with outstanding security patch needs.
    • # Security test failures.