IVI Framework Viewer

Information Security Strategy

A1

Develop, communicate, and support the organization’s information security objectives.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Information Security Strategy at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of staff.
    Outcome
    The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
    Metric
    # Customer in/consistency complaints/accalaids.
2Basic
  • Practice
    Develop basic or local information security strategies which consider IT and business strategies and risk appetite.
    Outcome
    There is confidence that security is partially aligned with business needs and there is a foundation for security and provision of some initial direction to security activities.
    Metric
    # Existence and availability of security strategies which include business and IT strategies and risk appetite
3Intermediate
  • Practice
    Align the information security strategies with IT and business strategies and risk appetite across IT and some business units.
    Outcome
    IT security measures match IT and some business unit needs.
    Metric
    # Existence and availability of security strategies which include business and IT strategies and risk appetite. # and %total of stakeholders aware of and using information security strategy
4Advanced
  • Practice
    Regularly improve alignment of the information security strategies with business and IT strategies and risk appetite across the organization.
    Outcome
    There is confidence that security responds to changing risks and threats, meets business requirements and is neither excessive nor inadequate; security is seen as enabling business priorities.
    Metric
    # Existence and availability of security strategies which include business and IT strategies and risk appetite # and %total of stakeholders aware of and using information security strategy
5Optimized
  • Practice
    Ensure the information security strategy is aligned and continually re-aligned to business and IT strategies, and risk appetite across the business ecosystem.
    Outcome
    Security needs are defined consistently from the top down enabling security activities to be delivered efficiently and effectively.
    Metric
    # Existence and availability of security strategies which include business and IT strategies and risk appetite # and % Total of stakeholders aware of and using information security strategy