Security, Access Rights, and Risk Management
Establish, identify, and communicate security criteria, access rights controls (based on life-cycle state) and risk criteria for personal data.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Security, Access Rights, and Risk Management at each level of maturity.
- 1Initial
- Practice
- Assess, evaluate, and manage personal data risks.
- Outcome
- Specification, procurement or management tends to be department choice or ad hoc.
- Practice
- Gather intelligence on threats and vulnerabilities from internal and external sources.
- Outcomes
- Toolset selection and management is based on preferred vendor recommendations.
- Resource allocation is local or assigned to resolve issues as needed.
- Metrics
- # data protection tools in use for data acquisition, and consent agreement capture.
- # tools available at customer or data subject interfaces.
- Practice
- Identify, establish, and communicate personal data security criteria and practices to secure the physical environment together with manual and automated data.
- Outcome
- IT and some business units are agreed on the automation levels, tooling, resourcing, and management of security resources.
- Metrics
- # data protection tools in use for data acquisition, and consent agreement capture.
- # tools available at customer or data subject interfaces.
- Practice
- Match access control procedures to data classifications.
- Outcome
- Monitoring is highly automated via standard toolsets and resources are actively managed to improve security and data protection services across the enterprise.
- Metrics
- # data protection tools in use for data acquisition, and consent agreement capture.
- # tools available at customer or data subject interfaces.
- 2Basic
- Practice
- Assess, evaluate, and manage personal data risks.
- Outcome
- The specification, procurement, and management of data protection and security tools and resources are continuously reviewed and improved as necessary across the business ecosystem.
- Metric
- # average usage of tools to implement privacy by design in the data life cycles.
- Practice
- Gather intelligence on threats and vulnerabilities from internal and external sources.
- Outcome
- Data retention policy for personal data (if any) is ad hoc.
- Practice
- Identify, establish, and communicate personal data security criteria and practices to secure the physical environment together with manual and automated data.
- Outcomes
- A data retention policy has been drafted.
- Implementation has started in some business units.
- Metric
- % personal data covered by implemented data retention policies.
- Practice
- Match access control procedures to personal data classifications.
- Outcomes
- Data is reviewed and classified at least annually.
- Suitable retention periods specified against each personal data attribute.
- Metric
- % personal data covered by implemented data retention policies.
- 3Intermediate
- Practice
- Assess, evaluate, and manage personal data risks.
- Outcomes
- Data is reviewed and classified regularly.
- Some retention periods specified against each personal data attribute.
- Metric
- % personal data covered by implemented data retention policies.
- Practice
- Gather intelligence on threats and vulnerabilities from internal and external sources.
- Outcomes
- Continuous monitored approach to data classification.
- Retention periods reviewed in line with business strategy and objectives and fully compliant with statutory requirements.
- Metric
- % personal data with retention polices.
- Practice
- Identify, establish, and communicate personal data security criteria and practices to secure the physical environment together with manual and automated data.
- Outcome
- The destruction of personal data (if any) is ad hoc.
- Practice
- Match access control procedures to personal data classifications.
- Outcomes
- A capability to anonymize personal data is in use.
- Selection for deletion is based on a mix of data age and life cycle stage.
- Metric
- % Media destroyed using commercial or professional techniques.
- 4Advanced
- Practice
- Assess, evaluate, and manage personal data risks.
- Outcome
- Life cycles and meta data clearly identify data that is ready for anonymization or deletion.
- Metric
- % Media destroyed using commercial or professional techniques.
- Practice
- Gather intelligence on threats and vulnerabilities from internal and external sources.
- Outcome
- Personal data and media (paper and digital) holding personal data destruction is policy and process compliant across the organization.
- Metric
- % Media destroyed using commercial or professional techniques.
- Practice
- Identify, establish, and communicate personal data security criteria and practices to secure the physical environment together with manual and automated data.
- Outcomes
- Personal data removal is effective across the business ecosystem.
- Systems are in place to prevent the inappropriate restoration of obsolete personal data.
- Metric
- % of end of life equipment and paper that is verifiably destroyed across the entire eco system.
- Practice
- Match access control procedures to personal data classifications.
- Outcome
- The destruction of personal data (if any) is ad hoc.
- 5Optimized
- Practice
- Assess, evaluate, and manage personal data risks.
- Outcomes
- A capability to anonymize personal data is in use.
- Selection for deletion is based on a mix of data age and life cycle stage.
- Metrics
- % personal data fields deleted based on life-cycle stage.
- % personal data fields deleted based on age.
- % personal data not addressed by a data deletion policy.
- Practice
- Gather intelligence on threats and vulnerabilities from internal and external sources.
- Outcome
- Life cycles and meta data clearly identify data that is ready for anonymization or deletion.
- Metrics
- % personal data fields deleted based on life-cycle stage.
- % personal data fields deleted based on age.
- % personal data not addressed by a data deletion policy.
- Practice
- Identify, establish, and communicate personal data security criteria and practices to secure the physical environment together with manual and automated data.
- Outcome
- Personal data and media (paper and digital) holding personal data destruction is policy and process compliant across the organization.
- Metrics
- % personal data fields deleted based on life-cycle stage.
- % personal data fields deleted based on age.
- % personal data not addressed by a data deletion policy.
- Practice
- Match access control procedures to personal data classifications.
- Outcomes
- Personal data removal is effective across the business ecosystem.
- Systems are in place to prevent the inappropriate restoration of obsolete personal data.
- Metric
- % personal data that is automatically destroyed in line with retention policies.