Training & Awareness
Training and Awareness has an "adhoc" maturity level
Awareness activities exist and at least a cyber security training is conducted in the onboarding process. Trainings are conducted inconsistently communication emails are not sent regularly to promote cybersecurity awareness
Asset management has an "adhoc" maturity level
An IT list of assets is maintained in at least some parts of an organization, as well as limited assigned ownerships
Information classification has an "adhoc" maturity level
There is a minimal awareness about the types of sensitive data and where they reside. Users apply appropriate data classification in at lest some parts of the organization.
Training and awareness has a repeatable maturity level
Regular generic trainings are conducted on a yearly basis on cyber risk and include an overview of the cyber policies and procedures. Periodic awareness emails are sent.
Asset management has an "repeatable" maturity level
An IT list of assets is formally maintained is some parts of the organization where accountability for the maintaining the list is assigned. Each asset has a defined owner.
Information classification has a "repeatable" maturity level
Users are aware of the classification levels of sensitive data assets within their business area. Data owners have defined responsibilities to classify data based on criticality.
Training and awareness has a "defined" maturity level
Training's that are conducted are properly defined and follow an approved schedule and training & awareness plan
Asset management has a "defined" maturity level
A centralized inventory for software and hardware devices exists, where appropriate details such as the asset owner and the asset criticality are captured. Asset ownership changes are tracked and monitored through change management processes.
Information classification has a "defined" maturity level
Data owners maintain a list of sensitive data within their business area. A formal data classification schema is defined and implementation of procedures to classify, inventory and manage data is consistent across the organization
Training and awareness has a "managed" maturity level
The application of trainings is actively evaluated by professionals on a daily basis. Training participation is monitored using automated tools and the effectiveness of the program is measured through KPI's and KRI's.
Asset management has an "managed" maturity level
Automated tools are enabled for the tracking, updating, prioritizing, and reporting of the asset inventory. The asset inventory is reviewed and updated at least annually.
Information classification has a "managed" maturity level
Data owners maintain a list of sensitive data for the enterprise and is reviewed and approved annually by business area representatives. Compliance with data classification policy and scheme is measured.
Training and awareness has a "optimized" maturity level
Customized training and awareness programs are developed and rolled out based on any new threats and is updated based on annual risk assessment and inputs from leadership.
Asset management has an "optimized" maturity level
The asset inventory is integrated with a SIEM and cyber threat intelligence capabilities.
Information classification has an "optimized" maturity level
Data classification schema and handling procedures are reviewed and updated based on threats. Data classification tools are used to classify structured and unstructured data.