IVI Framework Viewer

Culture and Stakeholder Management

A6

Establish an information security management aware culture. Motivate stakeholders, secure their support for key information security management initiatives, and create a shared understanding of how they can help ensure that information security management objectives are met.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Culture and Stakeholder Management at each level of maturity.

2Basic
  • Practice
    Begin to raise awareness of how information security activities contribute to the organization's strategic objectives, and begin to offer incentives/rewards for achievement of those objectives.
    Outcome
    There is emerging visibility of how information security activities are linked to the achievement of strategic objectives.
    Metrics
    • % of IT employees with awareness of how information security contributes to strategic objectives.
    • % of business unit employees with awareness of how information security contributes to strategic objectives.
    • % of IT employees receiving incentives/rewards.
    • % of business unit employees receiving incentives/rewards.
  • Practice
    Begin to provide and make visible senior management support for a number of key information security activities.
    Outcome
    Stakeholder buy-in and ownership of information security activities are emerging as a result of visible managerial sponsorship.
    Metrics
    • % of senior IT management who sponsor information security initiatives.
    • % of senior business unit management who sponsor information security initiatives.
    • % of information security initiatives with adequate sponsorship.
  • Practice
    Establish a basic approach for communicating the most significant information security topics to stakeholders.
    Outcome
    Employees begin to understand key issues pertaining to information security and can discuss their potential impacts.
    Metrics
    • Frequency of information security communications.
    • % of employees receiving communications.
3Intermediate
  • Practice
    Promote a common understanding of how information security activities contribute to the achievement of strategic objectives, and incentivize appropriate behaviours — e.g. encourage adherence to clean desk policies, locking of secure locations, use of screen locks on PCs, and regularly changing and not sharing passwords.
    Outcomes
    • Awareness of the importance of information security and acceptable behaviours grow among individual employees.
    • Most employees understand how their behaviours and day-to-day activities can enhance or invalidate security efforts.
    • Many employees are better motivated to support the realization of objectives.
    Metrics
    • % of IT employees with awareness of how information security contributes to strategic objectives.
    • % of business unit employees with awareness of how information security contributes to strategic objectives.
    • % of IT employees receiving incentives/rewards.
    • % of business unit employees receiving incentives/rewards.
  • Practice
    Provide senior management sponsorship for most information security activities, and report to the board on progress.
    Outcomes
    • Fundamental sponsorship requirements for information security are in place.
    • Many employees demonstrate strong buy-in, ownership, and commitment to information security activities, and are motivated to contribute to them.
    Metrics
    • % of senior IT management who sponsor information security initiatives.
    • % of senior business unit management who sponsor information security initiatives.
    • % of information security initiatives with adequate sponsorship.
  • Practice
    Standardize the approach that is used for regularly and consistently communicating key information security topics to most stakeholders, and tailor the communications to their needs and interests.
    Outcome
    Visibility and awareness of information security issues and their impacts are improved.
    Metrics
    • Frequency of information security communications.
    • % of employees receiving communications.
4Advanced
  • Practice
    Incentivize all relevant employees across the organization to robustly maintain security levels and effectively handle calls, emails, and other communications seeking to solicit security sensitive information.
    Outcomes
    • Employee behaviours reflect a strong information security aware culture.
    • Employees across the organization are fully aware of the importance of information security and are strongly committed to working together to ensure security measures are effective.
    Metrics
    • % of IT employees with awareness of how information security contributes to strategic objectives.
    • % of business unit employees with awareness of how information security contributes to strategic objectives.
    • % of IT employees receiving incentives/rewards.
    • % of business unit employees receiving incentives/rewards.
  • Practices
    • Provide senior management sponsorship for all information security activities.
    • Ensure senior management has an approved dedicated security budget and resources, and advocate for inclusion of security matters in annual reports.
    Outcomes
    • Employees across the organization demonstrate strong buy-in, ownership, and commitment to information security activities.
    • The activities are universally recognized as underpinning the success of broader organization-wide activities.
    Metrics
    • Existence of dedicated security budget and resources.
    • % of senior IT management who sponsor information security initiatives.
    • % of senior business unit management who sponsor information security initiatives.
    • % of information security initiatives with adequate sponsorship.
    • % of information security actions included in annual reports.
  • Practice
    Proactively communicate information security topics in a tailored manner to all relevant stakeholders across the organization.
    Outcomes
    • Communication is in the context and language of the stakeholder.
    • Broader visibility, awareness, and credibility of information security issues are fostered, generating higher levels of interest for engaging in future activities.
    Metrics
    • Frequency of information security communications.
    • % of employees receiving communications.
5Optimized
  • Practice
    Incentivize all relevant employees to continually keep abreast of evolving security threats and other relevant trends in the security landscape.
    Outcomes
    • Information security activities are regarded as being part of everyone's job.
    • Employees are enabled to continually detect security anomalies, and quickly and safely raise alarms or invoke appropriate security responses.
    Metrics
    • % of IT employees with awareness of how information security contributes to strategic objectives.
    • % of business unit employees with awareness of how information security contributes to strategic objectives.
    • % of IT employees receiving incentives/rewards.
    • % of business unit employees receiving incentives/rewards.
  • Practices
    • Encourage formal sponsors to continually review the information security initiatives for further improvement opportunities and report their status to the board.
    • Always include information security actions in the annual reports.
    Outcome
    Senior management, board members, and employees are fully committed to optimizing information security activities.
    Metrics
    • Frequency of review cycle.
    • % of information security actions included in annual reports.
  • Practice
    Extend communication of information security topics to the wider business ecosystem where relevant, and review the communication approach for improvement opportunities.
    Outcome
    The communications can be framed with discrete audiences in mind, down to the level of key individuals where appropriate.
    Metrics
    • Frequency of information security communications.
    • % of employees receiving communications.
    • % of business ecosystem partners receiving communications.