Training & Awareness
Awareness activities exist and at least a cyber security training is conducted in the onboarding process. Trainings are conducted inconsistently and communication emails are not sent regularly to promote cybersecurity awareness.
Training and Awareness has an "initial" maturity level
The asset inventory is integrated with a SIEM solution where changes are logged and monitored. The asset management process is updated based on the effectiveness of the process.
Asset management has an "optimized" maturity level.
Data owners maintain a list of sensitive data within their business area. A formal data classification schema is defined and implementation of procedures to classify, inventory and manage data is consistent across the organization.
Information classification has a "defined" maturity level.
The application of trainings is actively evaluated by professionals on a daily basis. Training participation is monitored using automated tools and the effectiveness of the program is measured through KPI's and KRI's.
Training and awareness has a "quantitatively managed" maturity level.
Automated tools are enabled for the tracking, updating, prioritizing, and reporting of the asset inventory. The asset inventory is reviewed and updated at least annually.
KPIs are defined to monitor the asset management process.
Asset management has an "quantitatively managed" maturity level.
Users are aware of the classification levels of sensitive data assets within their business area. Data owners have defined responsibilities to classify data based on criticality.
Information classification has a "managed" maturity level.
Customized training and awareness programs are developed and rolled out based on any new threats and is updated based on results from previous assessments.
Training and awareness has a "optimized" maturity level.
A centralized inventory for software and hardware devices exists, where appropriate details such as the asset owner and the asset criticality are captured.
Asset management has a "defined" maturity level.
There is a minimal awareness about the types of sensitive data and where they reside. Users apply appropriate data classification in at lest some parts of the organization.
Information classification has an "initial" maturity level.
Regular generic trainings are conducted on a yearly basis and include an overview of the cyber policies and procedures. Periodic awareness emails are sent.
Training and awareness has a "repeatable" maturity level.
An IT list of assets is formally maintained is some parts of the organization where accountability for the maintaining the list is assigned. Each asset has a defined owner.
Asset management has an "managed" maturity level.
Data owners maintain a list of sensitive data for the enterprise and is reviewed and approved annually by business area representatives. Compliance with data classification policy and scheme is measured.
Information classification has a "quantitatively managed" maturity level.
Trainings are conducted following an approved training & awareness plan and schedule.
Training and awareness has a "defined" maturity level.
An IT list of assets is maintained in at least some parts of an organization, as well as limited assigned ownerships.
Asset management has an "initial" maturity level.
Data classification schema and handling procedures are reviewed and updated based on effectiveness of the process and threats. Data classification tools are used to classify structured and unstructured data.
Information classification has an "optimized" maturity level.