Controls
Establish a control framework for information management, which may include ways to monitor effectiveness and efficiency, to manage change, and to control access, as well as guidance on data and information use.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Controls at each level of maturity.
- 2Basic
- Practice
- Define access to systems and data criteria based on data value and position in life cycle(s).
- Outcome
- There is increasing confidence that data is appropriately protected.
- Metric
- A ratio of systems and data sources to which basic controls exist vs. those for which specific controls exist ‒ e.g. access is either defined by a generic role requirement or by a specific role requirement. Generic roles are broad and may map across multiple business units. More specific roles are required to grant access only to those roles which require it.
- Practice
- Define controls and control test methods and begin testing.
- Outcome
- There is increasing confidence that appropriate and effective controls are applied to some data.
- Metric
- % of identified risks for which tested controls exist (controls must be implemented and tested).
- 3Intermediate
- Practice
- Develop a formal process for agreeing, implementing, and reviewing access to data by job role.
- Outcome
- Data access is defined, applied, and managed efficiently and effectively.
- Metric
- A ratio of systems and data sources to which basic controls exist vs. those for which specific controls exist ‒ e.g. access is defined by a specific role in all cases but this metric measures the iterative review part of the cycle.
- Practice
- Use a formal process to determine relevant controls based on master data management and strategic business objectives.
- Outcome
- Controls are relevant to the value of data and are effective.
- Metric
- % of identified risks for which tested controls exist that are matched to data categories.
- 4Advanced
- Practice
- Develop a formal, automated process for agreeing, implementing, and reviewing access to data by job role.
- Outcomes
- Consistent and effective access management are evident.
- Controls can be applied efficiently and consistently.
- Metric
- A ratio of systems and data sources to which basic time-bound manual controls exist vs. those with automated controls/expiry of access.
- Practice
- Develop and apply relevant controls based on mature risk management activities.
- Outcome
- Increased control and consistency reduce process variance and improve data quality.
- Metric
- % of identified risks for which tested controls exist that are developed by the risk management process.
- 5Optimized
- Practice
- Determine and apply efficient and effective access controls across the business ecosystem.
- Outcome
- Consistent and effective access management across the business ecosystem are evident.
- Metric
- A ratio of business units which have adopted specific time-bound controls with automated expiry of access versus those without automated expiry.
- Practice
- Determine controls based on evolving strategic, risk, and technical factors.
- Outcome
- Controls are effective and efficient across the business ecosystem.
- Metric
- % of identified risks for which tested controls exist that are developed to reflect evolving factors.
- Practice
- Automate the application of controls based on agreed risk tolerance factors.
- Outcome
- Controls are effective and efficient across the business ecosystem.
- Metric
- % of identified risks for which tested, automated controls exist that are developed to reflect evolving factors.