IVI Framework Viewer

Information Security

C7

Provide oversight, processes, and tools to enable the security, availability, integrity, and accessibility of information throughout its life cycles.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Information Security at each level of maturity.

2Basic
  • Practice
    Document data and information security approaches and policies.
    Outcome
    Appropriate levels of security can be applied to some data and information.
    Metrics
    • # of systems with access controls.
    • # of people to whom security training is provided.
    • % of security approaches and polices that are documented.
  • Practice
    Separate administrative and user access rights and manage them through separate people and/or software layers.
    Outcomes
    • Access and identity management exists as appropriate for users and administrators.
    • The risk of accidental or malicious leakage of data is minimized.
    Metrics
    • % of systems with virus and firewall protection.
    • % of network devices with managed firewalls.
    • # of security logs maintained and managed.
  • Practice
    Develop and use access controls for sensitive systems such as payroll and benefits, and for others that warrant inclusion based on their business context.
    Outcomes
    • Access and identity management exists for sensitive systems to protect sensitive data.
    • Employees trust that the organization is protecting sensitive data.
    Metric
    % of personal and sensitive data encrypted.
3Intermediate
  • Practice
    Have management ensure that the data and information stewardship roles are defined and that trained staff are assigned to these roles.
    Outcome
    Data and information stewardship roles exist and staff are trained to provide a competent service.
    Metrics
    • % of appropriately defined and assigned stewardship roles.
    • # of systems with access controls.
    • % of people in data stewardship roles whose identified training needs are met.
  • Practice
    Make security awareness training available to all staff.
    Outcome
    There is a cultural shift in mindset towards improved security behaviour arising from staff training, and policy breaches are less frequent.
    Metric
    % of people provided with security training.
  • Practice
    Define and implement data classifications for security.
    Outcome
    Security is applied to data based on classification and policies relating to confidentiality, integrity, and availability.
    Metrics
    • % of data for which classifications exist.
    • % of systems with virus and firewall protection.
    • % of network devices with managed firewalls.
    • # of security logs maintained and managed.
  • Practice
    Have data and information owners and relevant stakeholders agree on security needs based on data and information classification and on the organization's policies and procedures.
    Outcome
    Staff understand and buy in to how security is applied to data based on classification and policies relating to confidentiality, integrity, and availability.
    Metrics
    • % of relevant stakeholders involved in security need assessments.
    • # of policy breaches.
    • # of security incidents by severity.
    • # of systems with outstanding security patch needs.
    • # of network devices with outstanding security patch needs.
  • Practice
    Test recovery plans occasionally.
    Outcome
    Recovery plans are reasonably robust.
    Metrics
    • Frequency of tests (as appropriate).
    • # of improvements based on tests.
    • Levels of confidence in the recovery plan.
4Advanced
  • Practice
    Assess and implement a training plan for stewardship roles.
    Outcome
    Data and information stewardship roles exist and receive advanced training to provide a competent service.
    Metrics
    • # of systems with access controls.
    • # of people to whom security training is provided.
    • % of people in data stewardship roles whose identified training needs are met.
  • Practice
    Involve data and information stakeholders in risk assessments specific to their data and information.
    Outcome
    Security is applied based on valid business risk assessments.
    Metrics
    • % of relevant stakeholders involved in risk assessments.
    • % of systems with virus and firewall protection.
    • % of network devices with managed firewalls.
    • # of security logs maintained and managed.
  • Practice
    Define permissions and roles that are supported by the data and information architecture.
    Outcomes
    • Appropriate levels of security can be applied based on the classifications for data and information.
    • A security architecture view of the organization exists.
    Metrics
    • # of systems with access controls.
    • # of policy breaches.
    • # of security incidents by severity.
    • # of systems with outstanding security patch needs.
    • # of work devices with outstanding security patch needs.
  • Practice
    Test and monitor data and information security implementation.
    Outcome
    Data and information are accessed, used, and maintained by authorized applications only.
    Metrics
    • # of policy breaches.
    • # of security incidents by severity.
    • # of systems with outstanding security patch needs.
    • # of work devices with outstanding security patch needs.
    • # of security test failures.
  • Practice
    Test the recovery plan regularly.
    Outcome
    The organization has confidence that appropriate levels of security are applied effectively.
    Metrics
    • Frequency of tests (as appropriate).
    • # of improvements based on tests.
    • Levels of confidence in the recovery plan.
5Optimized
  • Practice
    Plan security across the business ecosystem.
    Outcome
    The sensitivity and security requirements for different data and information are widely understood.
    Metrics
    • % of systems with virus and firewall protection.
    • % of network devices with managed firewalls.
    • # of security logs maintained and managed.
    • # of policy breaches.
  • Practice
    Enable security at the required granularity in systems, solutions design, and architecture.
    Outcomes
    • Data and information security can be managed and applied effectively and efficiently.
    • A security architecture view of the organization exists.
    Metrics
    • % of systems with virus and firewall protection.
    • % of network devices with managed firewalls.
    • # of security logs maintained and managed.
    • # of policy breaches.
  • Practice
    Adjust security requirements based on changing data and information value or in response to events or changing situational awareness.
    Outcome
    Applied controls are appropriate to specific data and information.
    Metrics
    • # of security incidents by severity.
    • # of systems with outstanding security patch needs.
    • # of network devices with outstanding security patch needs.
    • # of security test failures.
  • Practice
    Review and improve data and information security regularly.
    Outcome
    Data security is optimized and appropriate to specific data and information types.
    Metrics
    • # of security incidents by severity.
    • # of systems with outstanding security patch needs.
    • # of network devices with outstanding security patch needs.
    • # of security test failures.