IVI Framework Viewer

Information Security Principles, Policies, and Controls

A1

Define the principles that underpin the organization's approach to information security management. Define the information security policies and controls to be put in place, taking into account relevant information security standards, legislative and regulatory compliance requirements, contractual obligations, information security objectives, and incident reports.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Information Security Principles, Policies, and Controls at each level of maturity.

2Basic
  • Practice
    Define information security principles and develop basic information security policies for designated sensitive data and information, based on reviews of mandatory standards.
    Outcome
    The principles and basic policies provide the foundation for establishing controls that relate to business requirements and that enable basic protection of sensitive data and information.
    Metrics
    • # of policies and standards in existence.
    • # of policies and standards mapped to business requirements.
  • Practice
    Start to conduct some audits for compliance with the information security policies.
    Outcome
    Some issues of non-compliance are beginning to be uncovered.
    Metrics
    • # of audit findings related to non-adherence to policies.
    • % of stakeholders adhering to policies.
  • Practice
    Establish controls around sensitive projects and data and information areas (e.g. HR, payroll, and product development) to align with the most important aspects of the information security policies.
    Outcome
    Basic protection of data and information is emerging in alignment with the most important aspects of the information security policies.
    Metric
    # of controls which reflect the policies.
3Intermediate
  • Practice
    Define information security principles and develop standardized policies (e.g. covering assets, processes, people, and all aspects of the information life cycle), based on review of most of the relevant standards and all legislative and regulatory compliance requirements.
    Outcome
    There are clear and consistent principles and policies in place that reflect most of the relevant standards and all compliance requirements, and they can be applied to protect most data and information effectively.
    Metric
    # of policies and standards mapped to business requirements.
  • Practice
    Define a consistent process for auditing compliance with the information security policies, and partially automate the process for analysing audit logs.
    Outcome
    Key issues of non-compliance are evident, and steps can be taken to rectify them.
    Metrics
    • # of audit findings related to non-adherence to policies.
    • % of stakeholders adhering to policies.
  • Practice
    Establish standard controls for accessing, using, transmitting, storing, and processing data and information to align with all key aspects of the information security policies, and establish a process that enables the effective logging of most control violations.
    Outcomes
    • The controls enable the protection of data and information when being accessed, used, transmitted, stored, or processed, in alignment with all key aspects of the information security policies.
    • Most control violations can be detected and addressed.
    Metrics
    • # of controls which reflect the policies.
    • # of control violations logged.
    • % of logged control violations that are effectively addressed.
4Advanced
  • Practice
    Ensure all information security principles and policies are compliant in multiple jurisdictions and are regularly informed by all of the latest standards, legislative and regulatory compliance requirements, contractual obligations, information security objectives, incident reports, and information security risk assessments across the entire organization.
    Outcome
    There is confidence that the principles and policies are comprehensive, relevant, and reflect all up-to-date standards and compliance requirements, and that they can be applied to protect all data and information in multiple jurisdictions effectively.
    Metric
    # of policies and standards mapped to business requirements.
  • Practice
    Regularly audit compliance with the information security policies across the organization, and automate most aspects of the process for analysing audit logs.
    Outcome
    There is organization-wide confidence that policies are being adhered to, and that any issues of non-compliance are effectively rectified.
    Metrics
    • # of audit findings related to non-adherence to policies.
    • % of stakeholders adhering to policies.
  • Practice
    Enable the controls to be configured on or off based on the data classifications and the relevant risk conditions, and log all control violations.
    Outcomes
    • The established controls are advanced, effective, and efficient, and support full compliance with the information security policies.
    • All control violations can be detected and addressed.
    Metrics
    • # of controls that reflect the policies.
    • # of control violations logged.
    • % of logged control violations that are effectively addressed.
5Optimized
  • Practices
    • Continually review the information security principles, policies, and standards for their effectiveness across the entire business ecosystem and their compliance across all relevant jurisdictions.
    • Revise them, as appropriate, to reflect leading insights from the latest research and vendor recommendations, and also to reflect legislative changes.
    Outcome
    The principles, policies, and standards are exemplary and kept relevant to the changing organization and business ecosystem context; this ensures optimized protection of data and information across all relevant jurisdictions.
    Metrics
    • Frequency of review cycle.
    • # of policy revisions per time period.
    • # of policies and standards mapped to business requirements.
  • Practice
    Review and improve as appropriate the policy compliance audit process.
    Outcome
    The compliance audit process is kept effective and relevant.
    Metrics
    • Frequency of review cycle.
    • # of audit findings related to non-adherence to policies.
    • % of stakeholders adhering to policies.
  • Practice
    Continually refine the established controls based on research and risk analysis insights, and enable them to be dynamically adjusted based on the data classifications, perceived user risk, and the network and devices in use.
    Outcomes
    • The controls remain relevant and effective.
    • Few control violations are experienced because the latest real-time controls are in place.
    Metrics
    • # of controls that reflect the policies.
    • # of control revisions per time period.
    • # of control violations logged.
    • % of logged control violations that are effectively addressed.