IVI Framework Viewer

Risk, Security, and Access Rights Management

C1

Establish and communicate personal data risk criteria, security criteria, and access rights controls (based on the life cycle state).

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Risk, Security, and Access Rights Management at each level of maturity.

2Basic
  • Practice
    Define a basic approach to identify and assess personal data threats, vulnerabilities, and risks.
    Outcome
    High impact personal data threats, vulnerabilities, and risks are identified and managed.
    Metrics
    • # of data protection threats, vulnerabilities, and risks identified.
    • % of risks treated to within acceptable levels.
  • Practice
    Establish some role-based access management controls.
    Outcome
    Basic access right controls are appropriate to established data security classification levels.
    Metrics
    • % of account types that are linked to the highest security level data accessible from the account.
    • % of data views that are linked to the highest level data security classification exposed via the view.
  • Practice
    Establish closed/restricted access system approaches in a small number of business units/functions.
    Outcome
    Personal data security practices are beginning to be considered.
    Metrics
    • # of personal data security criteria identified.
    • % of employees aware of personal data security criteria and associated security practices.
  • Practice
    Include checks in user acceptance tests to validate that the appropriate personal data security criteria are implemented in delivered solutions.
    Outcome
    There is emerging visibility of the extent to which personal data security criteria are considered in delivered solutions.
    Metric
    % of delivered solutions that have personal data security criteria implemented.
3Intermediate
  • Practice
    Establish a formal approach to manage personal data threats, vulnerabilities, and risks, and implement it across most areas of the business.
    Outcome
    Personal data threats, vulnerabilities, and risks are consistently identified, assessed, and managed across most areas of the business.
    Metrics
    • # of data protection threats, vulnerabilities, and risks identified.
    • % of risks treated to within acceptable levels.
  • Practice
    Define all relevant role-based access rights, and record and log their use in most instances.
    Outcomes
    • Access to personal data is based on a 'need to know for a specified purpose' basis.
    • Formal authorization processes and logging of access rights ensure they are effectively adhered to in most instances.
    Metrics
    • % of account types that are linked to the highest security level data accessible from the account.
    • % of data views that are linked to the highest level data security classification exposed via the view.
  • Practice
    Across most areas of the business, use privacy impact assessments and personal data risk analysis to support identification of personal data security criteria.
    Outcome
    Personal data security practices are agreed and implemented in most areas of the business.
    Metrics
    • # of personal data security criteria identified.
    • % of employees aware of personal data security criteria and associated security practices.
  • Practice
    Conduct inspections across most areas of the business for solutions architecture, design, development, and testing to validate that the appropriate personal data security criteria are implemented in delivered solutions.
    Outcome
    Personal data security criteria are typically implemented in most delivered solutions.
    Metric
    % of delivered solutions that have personal data security criteria implemented.
4Advanced
  • Practice
    Implement the approach to manage personal data threats, vulnerabilities, and risks across the entire organization.
    Outcome
    Personal data threats, vulnerabilities, and risks are identified, assessed, and managed organization-wide.
    Metrics
    • # of data protection threats, vulnerabilities, and risks identified.
    • % of risks treated to within acceptable levels.
  • Practice
    Record and log use of role-based access rights in all instances.
    Outcome
    Auditable access rights, based on a 'need to know for a specified purpose', are consistently implemented organization-wide.
    Metrics
    • % of account types that are linked to the highest security level data accessible from the account.
    • % of data views that are linked to the highest level data security classification exposed via the view.
  • Practices
    • Identify personal data security criteria across the entire organization.
    • Refine and improve security metadata to enhance the processing of business systems.
    Outcomes
    • Personal data security practices are agreed and implemented organization-wide.
    • Personal data security is proficiently managed.
    Metrics
    • # of personal data security criteria identified.
    • % of employees aware of personal data security criteria and associated security practices.
  • Practice
    Use regression and other automated test approaches to validate that the appropriate personal data security criteria are implemented in delivered solutions across the organization.
    Outcome
    Personal data security criteria are effectively implemented in all delivered solutions across the organization.
    Metric
    % of delivered solutions that have personal data security criteria implemented.
5Optimized
  • Practice
    Extend the approach to manage personal data threats, vulnerabilities, and risks to relevant business ecosystem partners.
    Outcome
    Personal data threats, vulnerabilities, and risks are identified, assessed, and managed with relevant business ecosystem partners.
    Metrics
    • # of data protection threats, vulnerabilities, and risks identified.
    • % of business ecosystem partners continually monitored for vulnerabilities.
    • % of risks treated to within acceptable levels.
  • Practice
    Continually improve access rights management processes, ensuring access rights are responsive to changing conditions.
    Outcome
    Auditable access rights are sufficiently dynamic and flexible to respond to business or personnel changes.
    Metric
    # of access rights that automatically change due to updates to personal data classifications.
  • Practice
    Continually review and improve personal data security criteria.
    Outcome
    Personal data security criteria are leading edge based, for example, on the latest research and emerging best practice.
    Metrics
    • Frequency of review and update to personal data security criteria.
    • # of best practice security standards with which the organization is compliant.
  • Practice
    Use state of the art requirements traceability measures to demonstrate that the appropriate personal data security criteria are implemented in delivered solutions across the business ecosystem.
    Outcome
    Personal data security criteria are effectively implemented in all delivered solutions across the business ecosystem.
    Metric
    % of delivered solutions that have personal data security criteria implemented.