In a previous post, I wrote about my key take-aways from Verizon’s 2019 Payment Security Report. While it’s no surprise it was full of interesting and useful data, (Verizon’s yearly Data Breach Investigation Report (DBIR) has become required reading.) I was delighted to find an excellent guide on the the 9-5-4 model, a means by which an organization can measure and improve its data protection program. It also details ways in which a company can measure the maturity of the program. What I appreciated most about this guidance was that it is broadly applicable. It works well with a data protection compliance program as well as with any program you may want to measure. The working details will be different, but the concepts are extremely flexible.

The 9-5-4 model is very simple and easily applied: nine (9) factors of effective data protection controls, five (5) constraints, and four (4) lines of assurance. The factors are assessed against the constraints for each line of assurance. This forms a handy matrix and a quick visual guide for which factors are healthy, which are in need of help, and what kind of help they need. The lines of assurance pinpoint where that help should be applied.

The 9 Factors of the 9-5-4 Model

  1. Control environment
    The sustainability and effectiveness of controls depend on a healthy control environment.
  2. Control design
    Proper control operation to meet security control objectives depends on sound control design.
  3. Control risk
    Without on-going maintenance (security testing, risk management, etc.), controls can degrade over time and eventually break down. Mitigation of control failures requires integrated management of control risk.
  4. Control robustness
    Controls operate in dynamic business and ever-changing threat environments. They must be robust to resist unwanted change to remain functional and perform to specifications (config standards, (Read more...)