IVI Framework Viewer

Information Security Strategy

A2

Develop an information security strategic plan to define how the organization's information security objectives can be achieved, and put the plan into operation.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Information Security Strategy at each level of maturity.

2Basic
  • Practice
    Develop a basic information security strategic plan that focuses on sensitive data and information and on establishing a set of perimeter barriers, and that begins to consider business/IT strategies and risk appetite.
    Outcome
    There is a foundation and initial direction for security activities.
    Metric
    Existence of information security strategic plan which reflects business and IT strategies and risk appetite.
3Intermediate
  • Practices
    • Collaboratively develop an industry norm information security strategic plan and regularly align it with strategic priorities and risk appetite.
    • Include in the plan perimeter defences, security for accessing, using, transmitting, storing, and processing data and information, and some monitoring, depth of defence concepts, and real-time intrusion detection.
    Outcome
    IT security measures can match key strategic priorities and risk appetite.
    Metric
    % of employees aware of and using the information security strategy.
4Advanced
  • Practice
    Regularly update the information security strategic plan in line with changes in the organization's overall strategic priorities and risk appetite, regulatory instruments, standards, tools, and security technologies.
    Outcomes
    • IT security measures can match the organization's overall strategic priorities and risk appetite, and changes in the external environment.
    • There is confidence that security can respond to changing risks and threats, can meet business requirements, and is neither excessive nor inadequate.
    Metrics
    • # of revisions to the information security strategic plan per time period.
    • % of employees aware of and using the information security strategy.
5Optimized
  • Practice
    Continually review the information security strategic plan for business ecosystem-wide proficiency, and refine it to reflect the latest (and in draft or proposed) security-related regulatory instruments, standards, tools, security technologies, and emerging research concepts.
    Outcome
    IT security measures are perceived as being industry exemplars.
    Metrics
    • # of revisions to the information security strategic plan per time period.
    • % of employees aware of and using the information security strategy.