IVI Framework Viewer

Communication and Training

A4

Disseminate security approaches, policies, and other relevant information to develop security awareness and skills.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Communication and Training at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of staff.
    Outcome
    The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
    Metric
    # Customer in/consistency complaints/accalaids.
2Basic
  • Practice
    Start to establish information security training and awareness in IT and start to communicate to key stakeholders.
    Outcome
    There is increased understanding of the role and value of information security; and increased application of security in IT activities.
    Metric
    # of training activities available; # and % total of IT staff who have attended information security training
3Intermediate
  • Practice
    Develop generic security awareness for IT and some business units and provide on-demand training for security practitioners. Update training to reflect emerging security issues.
    Outcome
    There is an opportunity to supplement scarce security resources and improve security on a more timely basis.
    Metric
    # of training courses available # and %total of IT staff who have attended information security training # of issues relating to training and awareness identified in audit reports and post incident reviews
4Advanced
  • Practice
    Establish dedicated and tailored security training organization wide and test to ensure understanding and effectiveness.
    Outcome
    Security is improved resulting from tailored versus generic security activities.
    Metric
    % of IT budget spent on ISM training. Stakeholder feedback on value of training # and % total of Employees overdue refresher training # of training courses available # and %total of IT staff who have attended information security training # of issues relating to training and awareness identified in audit reports and post incident reviews
5Optimized
  • Practice
    Evaluate and optimize security-related training and communication regularly across the business ecosystem.
    Outcome
    There is consistent and up-to-date understanding of security requirements and expectations.
    Metric
    # of audit findings related to non-compliance with security policies and procedures