Strategy and Governance
Design, develop, and maintain policies and controls for protecting personal data that comply with relevant regulations and laws, and that align with the organization's business model and objectives.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Strategy and Governance at each level of maturity.
- 1Initial
- Practice
- Develop, communicate, and support the organization's information security objectives.
- Outcome
- The allocation of responsibility for information management strategy is ad hoc.
- Practice
- Establish and maintain data protection policies and controls.
- Outcomes
- Information is managed in silos.
- These silos inhibit strategic planning and oversight.
- Metric
- % Employees provided information security training.
- Practice
- Have management drive a data protection awareness and compliant culture.
- Outcome
- Some business units and IT develop, support and implement the business information security strategy.
- Metrics
- # Metadata fields supporting personal data management.
- # Lifecycles approved for personal data usage.
- # Applications using encapsulation (or other techniques) to protect personal data.
- % Employees provided information security objective training.
- Practice
- Identify relevant data protection standards, regulatory and legislative requirements.
- Outcome
- Use of the information management strategy is organization-wide with senior executive oversight.
- Metrics
- # Metadata fields supporting personal data management.
- # Lifecycles approved for personal data usage.
- # Applications using encapsulation (or other techniques) to protect personal data.
- % Employees provided information security objective training.
- 2Basic
- Practice
- Develop, communicate, and support the organization's information security objectives.
- Outcome
- Information management strategy is dynamically aligned with business strategy.
- Metrics
- % Managers actively supporting data protection activities.
- % Staff aware of information strategy.
- Practice
- Establish and maintain data protection policies and controls.
- Outcome
- Data protection policies, standards and controls (if any) are ad hoc.
- Practice
- Have management drive a data protection awareness and compliant culture.
- Outcome
- Some data protection policies and controls incorporate relevant local and national data protection legislative criteria.
- Metrics
- # Count of regulatory and legislative instruments considered relevant.
- % of identified regulatory or legislative instruments addressed in policies and controls.
- Practice
- Identify relevant data protection standards, regulatory and legislative requirements.
- Outcome
- Data protection policies and controls incorporate relevant local, national and trans national data protection legislative criteria.
- Metrics
- # Count of data protection regulatory and legislative instruments considered relevant.
- % of identified regulatory or legislative instruments addressed in the data protection policies and controls.
- 3Intermediate
- Practice
- Develop, communicate, and support the organization's information security objectives.
- Outcome
- Data protection policies and controls are improved based on evolving risk, and technical factors and application of them is automated.
- Metrics
- % Managers actively supporting data protection activities.
- # non-compliances by staff, by department or manager.
- Practice
- Establish and maintain data protection policies and controls.
- Outcome
- Flexible and agile policies and controls are continually updated against the latest standards, regulations and evolving business needs.
- Metrics
- % of policies with associated automated controls
- # of regulations with fully embedded controls
- Practice
- Have management drive a data protection awareness and compliant culture.
- Outcome
- Advocacy of data protection (if any) is ad hoc.
- Practice
- Identify relevant data protection standards, regulatory and legislative requirements.
- Outcomes
- Local leaders and champions promote information management, and data protection.
- Data protection training needs are being identified and made available.
- Metric
- % Managers actively supporting data protection activities.
- 4Advanced
- Practice
- Develop, communicate, and support the organization's information security objectives.
- Outcomes
- Leadership supports the establishment and development of information management and data protection.
- Staff have been provided data protection training.
- Metrics
- % Managers actively supporting data protection activities.
- # non-compliances by staff, by department or manager.
- Practice
- Establish and maintain data protection policies and controls.
- Outcomes
- Senior management promotes information management and data protection compliant ways of doing business.
- Role specific training is available as needed.
- Metrics
- % Managers actively supporting data protection activities.
- # non-compliances by staff, by department or manager.
- Practice
- Have management drive a data protection awareness and compliant culture.
- Outcomes
- Leadership is actively and visibly promoting data protection compliant ways of doing business.
- Some staff are industry leaders and recognized contributors to data protection learning.
- Metrics
- # Leaders in data protection.
- # Publications and/or speakers at events which promote data protection practices.
- Practice
- Identify relevant data protection standards, regulatory and legislative requirements.
- Outcome
- The identification of relevant data protection standards, regulatory and legislative requirements is ad hoc.
- 5Optimized
- Practice
- Develop, communicate, and support the organization's information security objectives.
- Outcome
- Local and national requirements are identified.
- Metrics
- % identified regulatory and legislative instruments being considered in the data protection policies and procedures.
- % Identified standards being considered in the development of the data protection policies and procedures.
- Practice
- Establish and maintain data protection policies and controls.
- Outcomes
- All relevant local, national and international standards, regulatory and legislative requirements are captured.
- The legal implications of data transfers across national boundaries are understood.
- Metrics
- % identified regulatory and legislative instruments addressed in the data protection policies and procedures.
- % Identified standards addressed in the data protection policies and procedures.
- Practice
- Have management drive a data protection awareness and compliant culture.
- Outcome
- Legal precedents and relevant interpretations of the standards, regulatory and legislative instruments are understood.
- Metric
- # policy or procedure changes initiated by precedent cases
- Practice
- Identify relevant data protection standards, regulatory and legislative requirements.
- Outcome
- The company is aware of pending standards, regulatory and legislative changes and contributes to these at public consultation phases and participates on key special interest groups.
- Metrics
- # Contributions to emerging standards, regulations and legislative instruments.
- # emerging standards, regulations and legislative instruments being monitored.