IVI Framework Viewer

Strategy and Governance

A1

Design, develop, and maintain policies and controls for protecting personal data that comply with relevant regulations and laws, and that align with the organization's business model and objectives.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Strategy and Governance at each level of maturity.

1Initial
  • Practice
    Develop, communicate, and support the organization's information security objectives.
    Outcome
    The allocation of responsibility for information management strategy is ad hoc.
  • Practice
    Establish and maintain data protection policies and controls.
    Outcomes
    • Information is managed in silos.
    • These silos inhibit strategic planning and oversight.
    Metric
    % Employees provided information security training.
  • Practice
    Have management drive a data protection awareness and compliant culture.
    Outcome
    Some business units and IT develop, support and implement the business information security strategy.
    Metrics
    • # Metadata fields supporting personal data management.
    • # Lifecycles approved for personal data usage.
    • # Applications using encapsulation (or other techniques) to protect personal data.
    • % Employees provided information security objective training.
  • Practice
    Identify relevant data protection standards, regulatory and legislative requirements.
    Outcome
    Use of the information management strategy is organization-wide with senior executive oversight.
    Metrics
    • # Metadata fields supporting personal data management.
    • # Lifecycles approved for personal data usage.
    • # Applications using encapsulation (or other techniques) to protect personal data.
    • % Employees provided information security objective training.
2Basic
  • Practice
    Develop, communicate, and support the organization's information security objectives.
    Outcome
    Information management strategy is dynamically aligned with business strategy.
    Metrics
    • % Managers actively supporting data protection activities.
    • % Staff aware of information strategy.
  • Practice
    Establish and maintain data protection policies and controls.
    Outcome
    Data protection policies, standards and controls (if any) are ad hoc.
  • Practice
    Have management drive a data protection awareness and compliant culture.
    Outcome
    Some data protection policies and controls incorporate relevant local and national data protection legislative criteria.
    Metrics
    • # Count of regulatory and legislative instruments considered relevant.
    • % of identified regulatory or legislative instruments addressed in policies and controls.
  • Practice
    Identify relevant data protection standards, regulatory and legislative requirements.
    Outcome
    Data protection policies and controls incorporate relevant local, national and trans national data protection legislative criteria.
    Metrics
    • # Count of data protection regulatory and legislative instruments considered relevant.
    • % of identified regulatory or legislative instruments addressed in the data protection policies and controls.
3Intermediate
  • Practice
    Develop, communicate, and support the organization's information security objectives.
    Outcome
    Data protection policies and controls are improved based on evolving risk, and technical factors and application of them is automated.
    Metrics
    • % Managers actively supporting data protection activities.
    • # non-compliances by staff, by department or manager.
  • Practice
    Establish and maintain data protection policies and controls.
    Outcome
    Flexible and agile policies and controls are continually updated against the latest standards, regulations and evolving business needs.
    Metrics
    • % of policies with associated automated controls
    • # of regulations with fully embedded controls
  • Practice
    Have management drive a data protection awareness and compliant culture.
    Outcome
    Advocacy of data protection (if any) is ad hoc.
  • Practice
    Identify relevant data protection standards, regulatory and legislative requirements.
    Outcomes
    • Local leaders and champions promote information management, and data protection.
    • Data protection training needs are being identified and made available.
    Metric
    % Managers actively supporting data protection activities.
4Advanced
  • Practice
    Develop, communicate, and support the organization's information security objectives.
    Outcomes
    • Leadership supports the establishment and development of information management and data protection.
    • Staff have been provided data protection training.
    Metrics
    • % Managers actively supporting data protection activities.
    • # non-compliances by staff, by department or manager.
  • Practice
    Establish and maintain data protection policies and controls.
    Outcomes
    • Senior management promotes information management and data protection compliant ways of doing business.
    • Role specific training is available as needed.
    Metrics
    • % Managers actively supporting data protection activities.
    • # non-compliances by staff, by department or manager.
  • Practice
    Have management drive a data protection awareness and compliant culture.
    Outcomes
    • Leadership is actively and visibly promoting data protection compliant ways of doing business.
    • Some staff are industry leaders and recognized contributors to data protection learning.
    Metrics
    • # Leaders in data protection.
    • # Publications and/or speakers at events which promote data protection practices.
  • Practice
    Identify relevant data protection standards, regulatory and legislative requirements.
    Outcome
    The identification of relevant data protection standards, regulatory and legislative requirements is ad hoc.
5Optimized
  • Practice
    Develop, communicate, and support the organization's information security objectives.
    Outcome
    Local and national requirements are identified.
    Metrics
    • % identified regulatory and legislative instruments being considered in the data protection policies and procedures.
    • % Identified standards being considered in the development of the data protection policies and procedures.
  • Practice
    Establish and maintain data protection policies and controls.
    Outcomes
    • All relevant local, national and international standards, regulatory and legislative requirements are captured.
    • The legal implications of data transfers across national boundaries are understood.
    Metrics
    • % identified regulatory and legislative instruments addressed in the data protection policies and procedures.
    • % Identified standards addressed in the data protection policies and procedures.
  • Practice
    Have management drive a data protection awareness and compliant culture.
    Outcome
    Legal precedents and relevant interpretations of the standards, regulatory and legislative instruments are understood.
    Metric
    # policy or procedure changes initiated by precedent cases
  • Practice
    Identify relevant data protection standards, regulatory and legislative requirements.
    Outcome
    The company is aware of pending standards, regulatory and legislative changes and contributes to these at public consultation phases and participates on key special interest groups.
    Metrics
    • # Contributions to emerging standards, regulations and legislative instruments.
    • # emerging standards, regulations and legislative instruments being monitored.