Information Security Strategy
Develop an information security strategic plan to define how the organization's information security objectives can be achieved, and put the plan into operation.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Information Security Strategy at each level of maturity.
- 2Basic
- Practice
- Develop a basic information security strategic plan that focuses on sensitive data and information and on establishing a set of perimeter barriers, and that begins to consider business/IT strategies and risk appetite.
- Outcome
- There is a foundation and initial direction for security activities.
- Metric
- Existence of information security strategic plan which reflects business and IT strategies and risk appetite.
- 3Intermediate
- Practices
- Collaboratively develop an industry norm information security strategic plan and regularly align it with strategic priorities and risk appetite.
- Include in the plan perimeter defences, security for accessing, using, transmitting, storing, and processing data and information, and some monitoring, depth of defence concepts, and real-time intrusion detection.
- Outcome
- IT security measures can match key strategic priorities and risk appetite.
- Metric
- % of employees aware of and using the information security strategy.
- 4Advanced
- Practice
- Regularly update the information security strategic plan in line with changes in the organization's overall strategic priorities and risk appetite, regulatory instruments, standards, tools, and security technologies.
- Outcomes
- IT security measures can match the organization's overall strategic priorities and risk appetite, and changes in the external environment.
- There is confidence that security can respond to changing risks and threats, can meet business requirements, and is neither excessive nor inadequate.
- Metrics
- # of revisions to the information security strategic plan per time period.
- % of employees aware of and using the information security strategy.
- 5Optimized
- Practice
- Continually review the information security strategic plan for business ecosystem-wide proficiency, and refine it to reflect the latest (and in draft or proposed) security-related regulatory instruments, standards, tools, security technologies, and emerging research concepts.
- Outcome
- IT security measures are perceived as being industry exemplars.
- Metrics
- # of revisions to the information security strategic plan per time period.
- % of employees aware of and using the information security strategy.