IVI Framework Viewer

Controls

B2

Establish a control framework for information management, which may include ways to monitor effectiveness and efficiency, to manage change, and to control access, as well as guidance on data and information use.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Controls at each level of maturity.

2Basic
  • Practice
    Define access to systems and data criteria based on data value and position in life cycle(s).
    Outcome
    There is increasing confidence that data is appropriately protected.
    Metric
    A ratio of systems and data sources to which basic controls exist vs. those for which specific controls exist ‒ e.g. access is either defined by a generic role requirement or by a specific role requirement. Generic roles are broad and may map across multiple business units. More specific roles are required to grant access only to those roles which require it.
  • Practice
    Define controls and control test methods and begin testing.
    Outcome
    There is increasing confidence that appropriate and effective controls are applied to some data.
    Metric
    % of identified risks for which tested controls exist (controls must be implemented and tested).
3Intermediate
  • Practice
    Develop a formal process for agreeing, implementing, and reviewing access to data by job role.
    Outcome
    Data access is defined, applied, and managed efficiently and effectively.
    Metric
    A ratio of systems and data sources to which basic controls exist vs. those for which specific controls exist ‒ e.g. access is defined by a specific role in all cases but this metric measures the iterative review part of the cycle.
  • Practice
    Use a formal process to determine relevant controls based on master data management and strategic business objectives.
    Outcome
    Controls are relevant to the value of data and are effective.
    Metric
    % of identified risks for which tested controls exist that are matched to data categories.
4Advanced
  • Practice
    Develop a formal, automated process for agreeing, implementing, and reviewing access to data by job role.
    Outcomes
    • Consistent and effective access management are evident.
    • Controls can be applied efficiently and consistently.
    Metric
    A ratio of systems and data sources to which basic time-bound manual controls exist vs. those with automated controls/expiry of access.
  • Practice
    Develop and apply relevant controls based on mature risk management activities.
    Outcome
    Increased control and consistency reduce process variance and improve data quality.
    Metric
    % of identified risks for which tested controls exist that are developed by the risk management process.
5Optimized
  • Practice
    Determine and apply efficient and effective access controls across the business ecosystem.
    Outcome
    Consistent and effective access management across the business ecosystem are evident.
    Metric
    A ratio of business units which have adopted specific time-bound controls with automated expiry of access versus those without automated expiry.
  • Practice
    Determine controls based on evolving strategic, risk, and technical factors.
    Outcome
    Controls are effective and efficient across the business ecosystem.
    Metric
    % of identified risks for which tested controls exist that are developed to reflect evolving factors.
  • Practice
    Automate the application of controls based on agreed risk tolerance factors.
    Outcome
    Controls are effective and efficient across the business ecosystem.
    Metric
    % of identified risks for which tested, automated controls exist that are developed to reflect evolving factors.