IVI Framework Viewer

Security Policies and Controls

A2

Establish and maintain security policies and controls, taking into account relevant security standards, regulatory and legislative security requirements, and the organization’s security objectives.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Security Policies and Controls at each level of maturity.

1Initial
  • Practice
    Informally use vendor or publically available policies, standards and controls until the organization's ones are developed.
    Outcome
    Policies, standards and controls are inconsistent/incomplete resulting in security gaps and potentially security breaches and/or data loss.
    Metric
    # Policies, standards, and controls in existence.
2Basic
  • Practice
    Develop basic or local information security policies, and controls based on reviews of mandatory standards and review after major incidents.
    Outcome
    Basic policies provide a framework for controls which relate to business needs and provide basic protection of business assets.
    Metric
    # Existence of information security policies; # Policies, standards and controls mapped to generic business requirements # Systems with access controls
3Intermediate
  • Practice
    Develop security policies, standards and controls using a defined process and using feedback from IT and some business units.
    Outcome
    There are clear and consistent policies, standards and controls which relate to business needs and can be efficiently applied, communicated and tested.
    Metric
    # Policies, standards and controls mapped to requirements of business units # Controls which reflect policies
4Advanced
  • Practice
    Review information security policies, standards and controls periodically across the organization to ensure alignment, and test compliance.
    Outcome
    There is confidence that policies, standards and controls are relevant organization-wide and are being adhered to.
    Metric
    # Audit findings related to non adherence to policies and standards
5Optimized
  • Practice
    Review information security policies, standards and controls periodically and revise as appropriate based on input from the business ecosystem.
    Outcome
    There is a clear and consistent framework across the business ecosystem against which measures can be developed and implemented to protect business assets.
    Metric
    # and % Total of stakeholders aware of and adhering to policies, as evidenced by regular reviews and audits