Information Security
Provide oversight, processes, and tools to enable the security, availability, integrity, and accessibility of information throughout its life cycles.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Information Security at each level of maturity.
- 2Basic
- Practice
- Document data and information security approaches and policies.
- Outcome
- Appropriate levels of security can be applied to some data and information.
- Metrics
- # of systems with access controls.
- # of people to whom security training is provided.
- % of security approaches and polices that are documented.
- Practice
- Separate administrative and user access rights and manage them through separate people and/or software layers.
- Outcomes
- Access and identity management exists as appropriate for users and administrators.
- The risk of accidental or malicious leakage of data is minimized.
- Metrics
- % of systems with virus and firewall protection.
- % of network devices with managed firewalls.
- # of security logs maintained and managed.
- Practice
- Develop and use access controls for sensitive systems such as payroll and benefits, and for others that warrant inclusion based on their business context.
- Outcomes
- Access and identity management exists for sensitive systems to protect sensitive data.
- Employees trust that the organization is protecting sensitive data.
- Metric
- % of personal and sensitive data encrypted.
- 3Intermediate
- Practice
- Have management ensure that the data and information stewardship roles are defined and that trained staff are assigned to these roles.
- Outcome
- Data and information stewardship roles exist and staff are trained to provide a competent service.
- Metrics
- % of appropriately defined and assigned stewardship roles.
- # of systems with access controls.
- % of people in data stewardship roles whose identified training needs are met.
- Practice
- Make security awareness training available to all staff.
- Outcome
- There is a cultural shift in mindset towards improved security behaviour arising from staff training, and policy breaches are less frequent.
- Metric
- % of people provided with security training.
- Practice
- Define and implement data classifications for security.
- Outcome
- Security is applied to data based on classification and policies relating to confidentiality, integrity, and availability.
- Metrics
- % of data for which classifications exist.
- % of systems with virus and firewall protection.
- % of network devices with managed firewalls.
- # of security logs maintained and managed.
- Practice
- Have data and information owners and relevant stakeholders agree on security needs based on data and information classification and on the organization's policies and procedures.
- Outcome
- Staff understand and buy in to how security is applied to data based on classification and policies relating to confidentiality, integrity, and availability.
- Metrics
- % of relevant stakeholders involved in security need assessments.
- # of policy breaches.
- # of security incidents by severity.
- # of systems with outstanding security patch needs.
- # of network devices with outstanding security patch needs.
- Practice
- Test recovery plans occasionally.
- Outcome
- Recovery plans are reasonably robust.
- Metrics
- Frequency of tests (as appropriate).
- # of improvements based on tests.
- Levels of confidence in the recovery plan.
- 4Advanced
- Practice
- Assess and implement a training plan for stewardship roles.
- Outcome
- Data and information stewardship roles exist and receive advanced training to provide a competent service.
- Metrics
- # of systems with access controls.
- # of people to whom security training is provided.
- % of people in data stewardship roles whose identified training needs are met.
- Practice
- Involve data and information stakeholders in risk assessments specific to their data and information.
- Outcome
- Security is applied based on valid business risk assessments.
- Metrics
- % of relevant stakeholders involved in risk assessments.
- % of systems with virus and firewall protection.
- % of network devices with managed firewalls.
- # of security logs maintained and managed.
- Practice
- Define permissions and roles that are supported by the data and information architecture.
- Outcomes
- Appropriate levels of security can be applied based on the classifications for data and information.
- A security architecture view of the organization exists.
- Metrics
- # of systems with access controls.
- # of policy breaches.
- # of security incidents by severity.
- # of systems with outstanding security patch needs.
- # of work devices with outstanding security patch needs.
- Practice
- Test and monitor data and information security implementation.
- Outcome
- Data and information are accessed, used, and maintained by authorized applications only.
- Metrics
- # of policy breaches.
- # of security incidents by severity.
- # of systems with outstanding security patch needs.
- # of work devices with outstanding security patch needs.
- # of security test failures.
- Practice
- Test the recovery plan regularly.
- Outcome
- The organization has confidence that appropriate levels of security are applied effectively.
- Metrics
- Frequency of tests (as appropriate).
- # of improvements based on tests.
- Levels of confidence in the recovery plan.
- 5Optimized
- Practice
- Plan security across the business ecosystem.
- Outcome
- The sensitivity and security requirements for different data and information are widely understood.
- Metrics
- % of systems with virus and firewall protection.
- % of network devices with managed firewalls.
- # of security logs maintained and managed.
- # of policy breaches.
- Practice
- Enable security at the required granularity in systems, solutions design, and architecture.
- Outcomes
- Data and information security can be managed and applied effectively and efficiently.
- A security architecture view of the organization exists.
- Metrics
- % of systems with virus and firewall protection.
- % of network devices with managed firewalls.
- # of security logs maintained and managed.
- # of policy breaches.
- Practice
- Adjust security requirements based on changing data and information value or in response to events or changing situational awareness.
- Outcome
- Applied controls are appropriate to specific data and information.
- Metrics
- # of security incidents by severity.
- # of systems with outstanding security patch needs.
- # of network devices with outstanding security patch needs.
- # of security test failures.
- Practice
- Review and improve data and information security regularly.
- Outcome
- Data security is optimized and appropriate to specific data and information types.
- Metrics
- # of security incidents by severity.
- # of systems with outstanding security patch needs.
- # of network devices with outstanding security patch needs.
- # of security test failures.