IVI Framework Viewer

Representative POMs are described for Security Risk Assessment at each level of maturity.

1Initial

• Practice

  Rely on the best endeavours of staff.

  Outcome

  The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.

  Metric

  # Customer in/consistency complaints/accalaids.

2Basic

• Practice

  Establish a security risk assessment process in IT and ensure subject matter experts are identified within IT by system or process owners. Use IT specific risk measures/metrics during risk assessments.

  Outcome

  Security risk assessments are conducted by qualified staff and there is confidence in any assessment findings. The risks identified include major pain-points and current trends but lack consistency. Security risk assessments include IT metrics that are typically focused on technical assets but no consistent metrics framework is in place.

  Metric

  # Subject Matter Experts identified for security risk assessments in IT % Identified risks whose impact/likelihood exceed the organization's risk tolerance

3Intermediate

• Practice

  Use IT and business metrics in risk assessments. Conduct security risk assessments on a regular basis and involve subject matter experts from IT and some business areas. Use dimensions and information from security risk profiles for assessment and ensure complete assessment of exposures.

  Outcome

  Risk assessments include IT and business metrics that are typically focused on business assets and processes. A consistent metrics framework is used. Regular risk assessments facilitate collection of comparable data; and encourage follow-through on risk-handling. Consistent information is available on risks in IT and some business areas; information is sufficient for risks to be taken into account in decision-making processes.

  Metric

  # Subject Matter Experts identified for risk assessment in IT # Subject Matter Experts identified for risk assessment in business units Risk exposure for each identified risk % Identified risks whose impact/likelihood exceed the organization's risk tolerance

4Advanced

• Practice

  Define and use assessment metrics that are linked to the impact on business processes. Ensure the security risk assessment process including the use of metrics, is consistently used organization-wide and is aligned with and updated according to enterprise risk assessment processes.

  Outcome

  An organization-wide, holistic and stable metrics framework exists. There is clear linkage between business process impact and risk. Consistent information is available on all risks organization-wide; information is sufficient for risks to be taken into account in decision-making processes.

  Metric

  € Risk exposure for each identified risk % of identified risks whose impact/likelihood exceed the organization's risk tolerance

5Optimized

• Practice

  Ensure the security risk assessment process is agile and adaptable to the needs of the business ecosystem, considers long-term risks and is continually optimized.

  Outcome

  The expanded scope of Security Risk Management allows for inclusion of long-term risks and adaptability to the complexity and scope of the business ecosystem operating model.

  Metric

  Time horizon for risks