IVI Framework Viewer

Representative POMs are described for IT Component Security at each level of maturity.

1Initial

• Practice

  Use user ID and passwords for sensitive business applications e.g. payroll.

  Outcome

  Only authorized users have access to sensitive applications.

  Metric

  % Ratio of unsecured components to secured

2Basic

• Practice

  Set defaults to secure or block and open only as needed to enable the business.

  Outcome

  Access is restricted to authorized components and access paths through the IT infrastructure.

  Metric

  % Components with default set to closed # Staff needed to maintain the component security

3Intermediate

• Practice

  Define and implement security features with monitoring for major systems and devices across IT and some business units.

  Outcome

  Major systems are secured and any incidents will be quickly detected, identified and acted upon.

  Metric

  % Major systems and devices actively managed and monitored # Incidents detected by security measures # Incidents missed by detection systems (user/employee reported)

4Advanced

• Practice

  Determine and apply appropriate security features for all devices organization-wide. Test the measures for compliance with policies and standards.

  Outcome

  All devices have appropriate security measures applied.

  Metric

  % Devices compliant with security policy. % Sites compliant with security policy % Out-of-support devices # Out-of-support devices

5Optimized

• Practice

  Keep security features current using the latest patches, virus and spyware signatures, as well as firmware and operating system fixes.

  Outcome

  Erosion of security features over time is prevented.

  Metric

  % Devices overdue reviews % Devices with delayed patch installations % Devices with out-of-date anti-virus or anti-spyware signatures % Devices with outstanding firmware updates