EY Global Information Security Survey 2017 (Appendix)


Areas in scope for domain







This domain reconciles business requirements with solutions, including component selection and implementation, to provide a coherent framework for identifying security needs in an organization, and putting systems and processes in place to meet those  needs.

In a mature organization, the architecture function is used to manage the information security solutions and technologies that promote interoperability and manageability while meeting

the organization’s risk management needs. The architecture may include a core set of design principles that support the information security program goals. The technology components of architecture typically include network, host, application and data. Architecture processes in an organization include governance and standards  functions.


Asset management

IT asset management (ITM) encompasses the infrastructure and processes necessary for the effective management, control and protection of the hardware and software assets within an organization, throughout all stages of their   lifecycle.







The scope for a security awareness program consists of all staff within an organization, including self-employed staff, contractors and third party service providers. Special attention  is given to employees with security responsibilities as for example developers, service  desk

personnel, control room personnel, physical security guards, receptionists, information security and IT security staff, and  management.

Security awareness is typically a program with a long-term shift and direction following  a

wave-pattern: on a regular basis new trainings and campaigns are launched, as people typically require repetition to learn.

It is important to protect information throughout its lifecycle: creation, distribution, storage, usage, and destruction should receive equal attention.



This domain covers business continuity and disaster recovery concepts such as senior management support for BCM, adequate skilled resources, process definition, business impact analysis, testing of plans, and metrics   reporting.

Data infrastructure

Data repositories, warehouses, and systems to support a classic business intelligence function within security operations.





Data protection

EY takes a holistic view of data security. While data governance and management are foundational elements, the business is the driver for these elements. Security’s focus is on protecting and a major component of this view relates to DLP with the program’s goal to effectively manage data loss risks. Data includes, for example, intellectual property, customer data, transaction data, privacy data as well as client specific sensitive data.

DLP is concerned with data throughout the data lifecycle; Data at Rest, Data in Motion and Data in Use. DLP requires an understanding of what data you have, the value of that data, your obligations to protect that data, where the data resides, who access the data, where the data   is going, how you protect the data, the gaps and risks in your current protection and how you respond to data leaks.



and organization

This domain covers the information security program governance structure (including defined roles and responsibilities), business alignment, executive engagement and support, and monitoring and oversight of the information security function.






Host security

This domain covers the protection mechanisms and controls in place at the host level. Topics in scope for this section are:

•     Anti-virus

•     Full disk encryption

•     Malware  protection

•     Hardware access control

•     Patch management













Identity and

access management

Identity and access management (IAM) can be described by defining its core components,

identity management and access management.

Identity management refers to the processes associated with managing the entire lifecycle of

digital identities and profiles for people, processes, and technology. It typically includes:

•     Establishing unique identities and associated authentication  credentials

•     Provisioning new user accounts

•     Managing identity data and credentials (e.g., self-service password   reset)

•     Creating workflow processes for approving account creation and modification

•     Providing the ability to modify, suspend, or remove  accounts

•     Auditing and reporting of user identity information.

Access management refers to the processes used to control who has access to specific

information assets, including:

•     Providing the capability to request specific entitlements and/or roles

•     Implementing workflow processes for approving the granting of entitlements and/or roles

to a user

•     Providing the ability to modify or remove the entitlements and/or roles assigned to a user

•     Managing the association of entitlements to roles

•     Associating entitlements and roles to job functions

•     Providing the ability to review, remove, approve, and certify the entitlements and / or roles assigned to users

•     Providing the ability to review and audit historical  access

•     Identifying, reporting and preventing inappropriate combinations of  access.



Incident management


Incident management is defined as the formal function for reporting and responding to incidents that may adversely impact the organization’s assets, operations, reputation, financial position, intellectual capital, or confidential information. It serves as a critical component of an organization’s overall  information  security  structure,  and  provides  a  foundation  for  identifying and  responding  to  incidents  in a consistent  and  well-organized  manner.






Metrics and reporting


The metrics and reporting domain encompasses any defined, repeatable measurement activity that aids the organization in understanding the various components within their information security program, and how the program supports the business strategy. The domain includes analyzing the information security goals set by the business, and defining repeatable methods of measurement to show effectiveness, or progress in meeting those desired  goals.

Dependent domain(s): All domains within the framework could have inputs into the metrics and reporting domain. A mature metrics program will inherently measure and report on strategic goals, but the inclusion of “Services” domains into the metrics program will depend on applicability to the organization.


Domain Areas in scope for domain




Network security

The network security domain captures the policies, processes, tools, and technologies that are used to maintain security at the network level, and includes access management (e.g., network devices, remote access, access to logs, third-party access), vulnerability management, incident identification and notification, device configuration and patch management, and network architecture, including wireless  networks.

Although there is an overlap, we have attempted to not include topics related to host security, non-network architecture, security monitoring, and threat and vulnerability  management.






The Operations scope for the SPM framework is:

1.  Change management

2. Configuration management

3.  Communications and operations management

4.  Backup

5.  Physical and environment  security

6.  System planning and acceptance

7.  Operations  access control



Policy and standards framework

This domain encompasses the formal development, documentation, review, and approval of the information security policies, standards, and guidelines that defines the information security requirements, processes and controls to be implemented for protection of an organization’s information and IT assets. This domain also includes periodic review of PSGs, lifecycle management processes, IT and business stakeholder engagement, and compliance monitoring for PSGs.


In today’s digital world, personal identifiable information is being gathered on a vast scale and organizations need to focus on abiding by the ever growing weight of regulation, as well as find more  and more  secure  ways  of  keeping  this  information  safe  from  cyber attackers.


Security monitoring

The capabilities to successfully capture and monitor logs from network devices, hosts, files, databases, and privileged user access so as to identify or be alerted of events that require further investigation due to the potential of being security events that may need to trigger the incident response process.


Software security

Software security focuses on the development of software and information security’s role in that. This covers both internal and external software development and SDLC process and   controls.

However, the process of identifying and managing vulnerabilities is managed through threat and vulnerability (TVM) management.




Strategy focuses primarily on the information security related goals for the organization, as well as how these have been defined and communicated, and how often they are reviewed. A key element of this is alignment to organizational objectives to ensure strategic priorities are met. Strategy is also inclusive of high level planning for information security, including   budget.

Third-party management

The process for managing third-parties, and the transfer and exchange to, or storage of information/data by the third-parties. This domain includes, contract requirements and obligations with third-parties, monitoring processes, and compliance/audit checks for third-parties.

Threat and vulnerability management

Threat and vulnerability management (TVM) is the programmatic approach for an organization   to predict threats, identify and remediate vulnerabilities, detect and respond to attacks, and strategically develop counter measures. Functionally TVM should include APT, threat intelligence, vulnerability identification, remediation, detection, response, and countermeasure planning.