IVI Framework Viewer

IT Component Security

B2

Implement measures to protect all IT components, both physical and virtual, such as client computing devices, servers, networks, storage devices, printers, and smart phones.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for IT Component Security at each level of maturity.

1Initial
  • Practice
    Use user ID and passwords for sensitive business applications e.g. payroll.
    Outcome
    Only authorized users have access to sensitive applications.
    Metric
    % Ratio of unsecured components to secured
2Basic
  • Practice
    Set defaults to secure or block and open only as needed to enable the business.
    Outcome
    Access is restricted to authorized components and access paths through the IT infrastructure.
    Metric
    % Components with default set to closed # Staff needed to maintain the component security
3Intermediate
  • Practice
    Define and implement security features with monitoring for major systems and devices across IT and some business units.
    Outcome
    Major systems are secured and any incidents will be quickly detected, identified and acted upon.
    Metric
    % Major systems and devices actively managed and monitored # Incidents detected by security measures # Incidents missed by detection systems (user/employee reported)
4Advanced
  • Practice
    Determine and apply appropriate security features for all devices organization-wide. Test the measures for compliance with policies and standards.
    Outcome
    All devices have appropriate security measures applied.
    Metric
    % Devices compliant with security policy. % Sites compliant with security policy % Out-of-support devices # Out-of-support devices
5Optimized
  • Practice
    Keep security features current using the latest patches, virus and spyware signatures, as well as firmware and operating system fixes.
    Outcome
    Erosion of security features over time is prevented.
    Metric
    % Devices overdue reviews % Devices with delayed patch installations % Devices with out-of-date anti-virus or anti-spyware signatures % Devices with outstanding firmware updates