In a previous post, I wrote about my key take-aways from Verizon’s 2019 Payment Security Report. While it’s no surprise it was full of interesting and useful data, (Verizon’s yearly Data Breach Investigation Report (DBIR) has become required reading.) I was delighted to find an excellent guide on the the 9-5-4 model, a means by which an organization can measure and improve its data protection program. It also details ways in which a company can measure the maturity of the program. What I appreciated most about this guidance was that it is broadly applicable. It works well with a data protection compliance program as well as with any program you may want to measure. The working details will be different, but the concepts are extremely flexible.The 9-5-4 model is very simple and easily applied: nine (9) factors of effective data protection controls, five (5) constraints, and four (4) lines of assurance. The factors are assessed against the constraints for each line of assurance. This forms a handy matrix and a quick visual guide for which factors are healthy, which are in need of help, and what kind of help they need. The lines of assurance pinpoint where that help should be applied.The 9 Factors of the 9-5-4 ModelControl environmentThe sustainability and effectiveness of controls depend on a healthy control environment.Control designProper control operation to meet security control objectives depends on sound control design.Control riskWithout on-going maintenance (security testing, risk management, etc.), controls can degrade over time and eventually break down. Mitigation of control failures requires integr ..
Support the originator by clicking the read the rest link below.
