Security Policies and Controls
Establish and maintain security policies and controls, taking into account relevant security standards, regulatory and legislative security requirements, and the organization’s security objectives.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Security Policies and Controls at each level of maturity.
- 1Initial
- Practice
- Informally use vendor or publically available policies, standards and controls until the organization's ones are developed.
- Outcome
- Policies, standards and controls are inconsistent/incomplete resulting in security gaps and potentially security breaches and/or data loss.
- Metric
- # Policies, standards, and controls in existence.
- 2Basic
- Practice
- Develop basic or local information security policies, and controls based on reviews of mandatory standards and review after major incidents.
- Outcome
- Basic policies provide a framework for controls which relate to business needs and provide basic protection of business assets.
- Metric
- # Existence of information security policies; # Policies, standards and controls mapped to generic business requirements # Systems with access controls
- 3Intermediate
- Practice
- Develop security policies, standards and controls using a defined process and using feedback from IT and some business units.
- Outcome
- There are clear and consistent policies, standards and controls which relate to business needs and can be efficiently applied, communicated and tested.
- Metric
- # Policies, standards and controls mapped to requirements of business units # Controls which reflect policies
- 4Advanced
- Practice
- Review information security policies, standards and controls periodically across the organization to ensure alignment, and test compliance.
- Outcome
- There is confidence that policies, standards and controls are relevant organization-wide and are being adhered to.
- Metric
- # Audit findings related to non adherence to policies and standards
- 5Optimized
- Practice
- Review information security policies, standards and controls periodically and revise as appropriate based on input from the business ecosystem.
- Outcome
- There is a clear and consistent framework across the business ecosystem against which measures can be developed and implemented to protect business assets.
- Metric
- # and % Total of stakeholders aware of and adhering to policies, as evidenced by regular reviews and audits