Information Security Strategy
Develop, communicate, and support the organization’s information security objectives.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Information Security Strategy at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of staff.
- Outcome
- The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
- Metric
- # Customer in/consistency complaints/accalaids.
- 2Basic
- Practice
- Develop basic or local information security strategies which consider IT and business strategies and risk appetite.
- Outcome
- There is confidence that security is partially aligned with business needs and there is a foundation for security and provision of some initial direction to security activities.
- Metric
- # Existence and availability of security strategies which include business and IT strategies and risk appetite
- 3Intermediate
- Practice
- Align the information security strategies with IT and business strategies and risk appetite across IT and some business units.
- Outcome
- IT security measures match IT and some business unit needs.
- Metric
- # Existence and availability of security strategies which include business and IT strategies and risk appetite. # and %total of stakeholders aware of and using information security strategy
- 4Advanced
- Practice
- Regularly improve alignment of the information security strategies with business and IT strategies and risk appetite across the organization.
- Outcome
- There is confidence that security responds to changing risks and threats, meets business requirements and is neither excessive nor inadequate; security is seen as enabling business priorities.
- Metric
- # Existence and availability of security strategies which include business and IT strategies and risk appetite # and %total of stakeholders aware of and using information security strategy
- 5Optimized
- Practice
- Ensure the information security strategy is aligned and continually re-aligned to business and IT strategies, and risk appetite across the business ecosystem.
- Outcome
- Security needs are defined consistently from the top down enabling security activities to be delivered efficiently and effectively.
- Metric
- # Existence and availability of security strategies which include business and IT strategies and risk appetite # and % Total of stakeholders aware of and using information security strategy