Risk, Security, and Access Rights Management
Establish and communicate personal data risk criteria, security criteria, and access rights controls (based on the life cycle state).
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Risk, Security, and Access Rights Management at each level of maturity.
- 2Basic
- Practice
- Define a basic approach to identify and assess personal data threats, vulnerabilities, and risks.
- Outcome
- High impact personal data threats, vulnerabilities, and risks are identified and managed.
- Metrics
- # of data protection threats, vulnerabilities, and risks identified.
- % of risks treated to within acceptable levels.
- Practice
- Establish some role-based access management controls.
- Outcome
- Basic access right controls are appropriate to established data security classification levels.
- Metrics
- % of account types that are linked to the highest security level data accessible from the account.
- % of data views that are linked to the highest level data security classification exposed via the view.
- Practice
- Establish closed/restricted access system approaches in a small number of business units/functions.
- Outcome
- Personal data security practices are beginning to be considered.
- Metrics
- # of personal data security criteria identified.
- % of employees aware of personal data security criteria and associated security practices.
- Practice
- Include checks in user acceptance tests to validate that the appropriate personal data security criteria are implemented in delivered solutions.
- Outcome
- There is emerging visibility of the extent to which personal data security criteria are considered in delivered solutions.
- Metric
- % of delivered solutions that have personal data security criteria implemented.
- 3Intermediate
- Practice
- Establish a formal approach to manage personal data threats, vulnerabilities, and risks, and implement it across most areas of the business.
- Outcome
- Personal data threats, vulnerabilities, and risks are consistently identified, assessed, and managed across most areas of the business.
- Metrics
- # of data protection threats, vulnerabilities, and risks identified.
- % of risks treated to within acceptable levels.
- Practice
- Define all relevant role-based access rights, and record and log their use in most instances.
- Outcomes
- Access to personal data is based on a 'need to know for a specified purpose' basis.
- Formal authorization processes and logging of access rights ensure they are effectively adhered to in most instances.
- Metrics
- % of account types that are linked to the highest security level data accessible from the account.
- % of data views that are linked to the highest level data security classification exposed via the view.
- Practice
- Across most areas of the business, use privacy impact assessments and personal data risk analysis to support identification of personal data security criteria.
- Outcome
- Personal data security practices are agreed and implemented in most areas of the business.
- Metrics
- # of personal data security criteria identified.
- % of employees aware of personal data security criteria and associated security practices.
- Practice
- Conduct inspections across most areas of the business for solutions architecture, design, development, and testing to validate that the appropriate personal data security criteria are implemented in delivered solutions.
- Outcome
- Personal data security criteria are typically implemented in most delivered solutions.
- Metric
- % of delivered solutions that have personal data security criteria implemented.
- 4Advanced
- Practice
- Implement the approach to manage personal data threats, vulnerabilities, and risks across the entire organization.
- Outcome
- Personal data threats, vulnerabilities, and risks are identified, assessed, and managed organization-wide.
- Metrics
- # of data protection threats, vulnerabilities, and risks identified.
- % of risks treated to within acceptable levels.
- Practice
- Record and log use of role-based access rights in all instances.
- Outcome
- Auditable access rights, based on a 'need to know for a specified purpose', are consistently implemented organization-wide.
- Metrics
- % of account types that are linked to the highest security level data accessible from the account.
- % of data views that are linked to the highest level data security classification exposed via the view.
- Practices
- Identify personal data security criteria across the entire organization.
- Refine and improve security metadata to enhance the processing of business systems.
- Outcomes
- Personal data security practices are agreed and implemented organization-wide.
- Personal data security is proficiently managed.
- Metrics
- # of personal data security criteria identified.
- % of employees aware of personal data security criteria and associated security practices.
- Practice
- Use regression and other automated test approaches to validate that the appropriate personal data security criteria are implemented in delivered solutions across the organization.
- Outcome
- Personal data security criteria are effectively implemented in all delivered solutions across the organization.
- Metric
- % of delivered solutions that have personal data security criteria implemented.
- 5Optimized
- Practice
- Extend the approach to manage personal data threats, vulnerabilities, and risks to relevant business ecosystem partners.
- Outcome
- Personal data threats, vulnerabilities, and risks are identified, assessed, and managed with relevant business ecosystem partners.
- Metrics
- # of data protection threats, vulnerabilities, and risks identified.
- % of business ecosystem partners continually monitored for vulnerabilities.
- % of risks treated to within acceptable levels.
- Practice
- Continually improve access rights management processes, ensuring access rights are responsive to changing conditions.
- Outcome
- Auditable access rights are sufficiently dynamic and flexible to respond to business or personnel changes.
- Metric
- # of access rights that automatically change due to updates to personal data classifications.
- Practice
- Continually review and improve personal data security criteria.
- Outcome
- Personal data security criteria are leading edge based, for example, on the latest research and emerging best practice.
- Metrics
- Frequency of review and update to personal data security criteria.
- # of best practice security standards with which the organization is compliant.
- Practice
- Use state of the art requirements traceability measures to demonstrate that the appropriate personal data security criteria are implemented in delivered solutions across the business ecosystem.
- Outcome
- Personal data security criteria are effectively implemented in all delivered solutions across the business ecosystem.
- Metric
- % of delivered solutions that have personal data security criteria implemented.