Phase III: Profile For Success
Finally, the framework profile is a scorecard for evaluating the state of play. It allows a firm to benchmark its present state relative to its “target profile.” The target profile describes what the firm plans to do to better strengthen its information security practices, technical and operational infrastructure, and physical environment. Based upon considerations such as whether there are multiple layers of control at every level, where the biggest vulnerabilities lie and which residual risks could be being overlooked, the profiles become points on a timeline, against which progress can be measured over the lifetime of the plan.
Implement And Document
The completed framework profile and target profile puts a firm in position to create an action plan. Allowing for incremental improvement, the plan should include training activities, implementation of new controls and processes for ongoing monitoring, testing and self-auditing.