MYOBI influenced a model to express the levels of maturity. MYOBI uses the maturity model of DNB as a reference model for this. This is a general model in the financial world that offers the possibility to determine an own ambitious level and to determine realization and to use it to gain clarity about the level of the other members of MYOBI. MYOBI determines this model for determining the maturity level per management objective based on the level of the underlying controls.
The maturity level makes a statement about the effective operation of the control measures.
The baselines data protection and information security are built up from management objectives. For each management objective it is determined which control measures are effective and that determines the maturity level per objective. The method to determine the “overall” maturity level per baseline and to determine the “overall” level of both baselines is prescribed.
The model describes situations that may arise with Users. The higher maturity levels in this model build on the lower.
Level 1, initial
The control measures have been (partly) defined, but are implemented in an inconsistent manner. There is a great dependence on individuals in the implementation of the control measures.
- No or limited control measures implemented;
- Niet of ad-hoc uitgevoerd;
- Not / partly documented; and
- Method of implementation depending on individual (not standardized).
Level 2, repeatable but informal
Controls are in place and are performed in a consistent and structured but informal manner.
- The implementation of the control measures is based on an informal but standardized working method. This working method is not fully documented.
Level 3, defined
The design of the control measures is documented and implemented in a structured and formalized manner. The required effectiveness of the control measures can be demonstrated and are being tested.
- Maatregelen The control measures are defined based on risk assessment;
- Documented and formalized;
- Responsibilities and tasks are clearly assigned;
- Design, existence and effective operation are demonstrable;
- Effective operation of control measures is periodically tested;
- The assessment takes place on a risk-based basis and shows that the control measure is effective over a longer period (> 6 months).
Level 4, controlled and measurable
The effectiveness of the control measures is periodically evaluated. Where necessary, controls are improved or replaced by other controls. The evaluation is recorded.
Level 3 criteria plus the following:
- Periodic (control) evaluation and follow-up takes place;
- Evaluation is documented;
- Tasks and responsibilities for evaluation have been formalized;
- Waarop Evaluation frequency is based on the institution’s risk profile and is at least annually;
- (Operational) incidents are included in the evaluation; and
- The results of the evaluation are reported to management.
Level 5, Continuous improvement
The control measures are anchored in the integral risk management framework, with continuous efforts to improve the effectiveness of the measures. External data and benchmarking are used for this. Employees are proactively involved in improving control measures.
Level 4 criteria plus the following:
- Evalueren Continuous evaluation of controls to continuously improve the effectiveness of controls;
- Using results from self-assessments, gap and root cause analyzes; and
- The control measures taken are benchmarked on the basis of external data and are “Best Practice” compared to other organizations.
Organizations that are serious about their accountability may have reached different levels of maturity in terms of controlling obligations when applying for the Accountability Seal.