Title/name of metric Primary customer Information source/s
Coordinated Business Continuity Plans Security management & executives All business units or contingency planning function
Count number of BCPs that have been signed to How calculated denote review and acceptance by the heads of all relevant business functions invoked in the plans Collect & report quarterly in year 1, then halfyearly in year 2, then annually (as continuity Frequency processes mature) Business continuity plans for any department typically call upon other departments ( e.g. IT) but Rationale for coordination of plans between departments is not that measuring measuring this automatically guaranteed. This metric checks that plans have been coordinated with and accepted by all the business functions they invoke. 4 Risk mgmt Relevant section/s of ISO/IEC 27002
5 Security policy
6 Information Information security Main Subsidiary governance 7 Asset mgmt
Nature of metric
Alternative metrics considered
8 HR
12 SDLC
9 Physical security
13 Incident mgmt
10 Comms/Ops mgmt
14 Continuity Continuit y mgmt 15 Compliance
11 Access control
Leading / Lagging / Semi Soft / Hard / Semi
Objective / Subjective / Semi* Absolute / Relative (trend) / Semi Confidentiality / Integrity / Availability
Number of BCPs successfully tested/exercised
* The metric itself is objective but the degree to Notes which signatories review and approve the plans may vary
Title/name of metric Primary customer
Information source/s How calculated Frequency
Personal device security Security manager / committee IT Help/Service Desk incident log + automated system logs (e.g. antivirus and antispyware logs) # of security incidents / # personal devices x 100% Collect daily
Report monthly or quarterly
Monitor security risks to personal devices (PDAs, laptops, mobile phones etc.) that often fall outside the purview of the Information Security Rationale for Management System, yet carry sensitive & measuring measuring this valuable data. Identify education/awaren education/awareness ess targets and and security issues. Ensure policy compliance. 4 Risk mgmt Relevant section/s 5 Security policy of ISO/IEC 27002 Main Subsidiary 6 Infosec governance 7 Asset mgmt
Nature of metric
8 HR
12 SDLC
9 Physical security
13 Incident mgmt
10 Comms/Ops mgmt
14 Continuity mgmt 15 Compliance
11 Access control
Leading / Lagging / Semi Soft / Hard / Semi
Objective / Subjective / Semi Absolute / Relative (trend) / Semi Confidentiality / Integrity / Integrity / Availability Availability
Automated compliance checks using automated Alternative metrics controls e.g. antivirus, security configuration considered checkers Notes
Title/name of metric Primary customer
Information source/s
Payroll data quality Senior management team Payroll Payroll database logs and system change records
(#exceptions and corrections processed during the How calculated period LESS #legitimate data changes) / #records in the database x 100% Frequency
Weekly collection
Quarterly reporting
Measures data integrity failures (completeness, accuracy, timeliness) in an important database Rationale for accuracy, error s may be measuring measuring this where the consequences of data errors significant
4 Risk mgmt Relevant section/s 5 Security policy of ISO/IEC 27002 Main Subsidiary 6 Infosec governance 7 Asset mgmt
Nature of metric
Alternative metrics considered
8 HR
12 SDLC
9 Physical security
13 Incident mgmt
10 Comms/Ops mgmt
14 Continuity mgmt 15 Compliance
11 Access control
Leading / Lagging / Semi Soft / Hard / Semi
Objective / Subjective / Semi Absolute / Relative (trend) / Semi Confidentiality / Integrity / Availability
Delayed updates to personnel records
Some Some payro payroll ll data data chang changes es are more more signif significa icant nt than than ot othe hers rs but but this this metr metric ic simp simply ly coun counts ts the the number of data corrections to assess the accuracy leve level. l. Bett Better er autom automat ated ed or manual manual data data entry entry Notes con control rols sho should red reduce the number mber of erro errors rs having to be corrected. The same metric can be applied to any database, ERP or similar system, and compared between systems.
Title/name of metric Primary customer
Information source/s
Days since a serious security incident Entire workforce (security awareness) IT Help/Service Desk incident logs
#days since an information security incident How calculated judged by management to have caused “serious” business impact Frequency Rationale for measuring measuring this
Daily collection and reporting Modern analogue of the old “Days since a lost time safety incident” boards outside factories 4 Risk mgmt
Relevant section/s 5 Security policy of ISO/IEC 27002 Main Subsidiary 6 Infosec governance 7 Asset mgmt
Nature of metric
Alternative metrics considered
8 HR
12 SDLC
9 Physical security
13 Incident mgmt
10 Comms/Ops mgmt
14 Continuity mgmt 15 Compliance
11 Access control
Leading / Lagging / Semi Soft / Hard / Semi
Objective / Subjective / Semi Absolute / Relative (trend) / Semi Confidentiality / Integrity / Availability
“Security status” or “risk level” (both subjective assessments)
“Serious” may have to be defined formally, perh perhap aps s usin using g ex exam ampl ple e inci incide dent nts s or cost costs s that that Notes would trigger a reset of the day count. The metric could be reported by business unit.
Title/name of metric Primary customer
Network capacity CIO
User activity; audit logs; #IDs; IT Help/Service Information source/s Desk reports; transaction logs; previous trends; change requests; statutory obligations How calculated Frequency
Used / Available network capacity x 100% Daily collection, monthly reporting
Ensure availability of sufficient network capacity Rationale for to meet current business demands (with trends measuring measuring this analysis for future projections)
4 Risk mgmt Relevant section/s 5 Security policy of ISO/IEC 27002 Main Subsidiary 6 Infosec governance 7 Asset mgmt
Nature of metric
8 HR
12 SDLC
9 Physical security
13 Incident mgmt
10 Comms/Ops mgmt
14 Continuity mgmt 15 Compliance
11 Access control
Leading / Lagging / Semi Soft / Hard / Semi
Objective / Subjective / Semi Absolute / Relative (trend) / Semi Confidentiality / Integrity / Availability
Capacity of network connections for essential web servers. Alternative metrics considered
#named/registered web services users. #Failed/Successful #Failed/Successful web services login attempts. SLA statistics if web services are outsourced.
Presentation using “highest-mean-lowest” bars, Notes with commentary on any significant changes from the norm.
Title/name of metric
Customer security sophistication index
Primary customer
General manager of eBusiness function
Information source/s
How calculated Frequency
Customer survey Survey using % ranges and key indicators against predetermined criteria (e.g. use of antivirus) Annual
Customer insecurities could introduce viruses, create data integrity problems and result in Rationale for unauthorized disclosure of information affecting measuring measuring this the organization. Less sophisticated/security aware customers are likely to have less effective security controls. 4 Risk mgmt Relevant section/s 5 Security policy of ISO/IEC 27002 Main Subsidiary 6 Infosec governance 7 Asset mgmt
Nature of metric
Alternative metrics considered
Notes
Leading / Lagging / Semi Soft / Hard / Semi
8 HR
12 SDLC
9 Physical security
13 Incident mgmt
10 Comms/Ops mgmt
14 Continuity mgmt 15 Compliance
11 Access control
Objective / Subjective / Semi Absolute / Relative (trend) / Semi Confidentiality / Confidentiality / Integrity / Availability
General security surveys (not specific to customers) Migh Mightt be inte intere resti sting ng to comp compar are e the the ‘cus ‘custo tome mer r secu securi rity ty so soph phis isti tica cati tion on inde index’ x’ to the the numb number er of eBusiness security incidents that appear to result from customer security issues. If the survey survey questi questionn onnair aire e is review reviewed/ ed/upd update ated d annually, annually, new risks could be reflected. Security awareness activities targeted at customers should noticeably improve this index.
Title/name of metric Primary customer
Information source/s
How calculated Frequency
Web abuse HR Department Internet filtering software #non-acceptable #non-acceptable sites / #acceptable sites accessed or attempted access during the period Collected daily, reported monthly
Policy compliance issue: employees accessing (or attempting to access) “unacceptable” sites Rationale for increase the possibility of malware infections, data measuring measuring this theft, prosecution for porn & unlicensed software etc. 4 Risk mgmt Relevant section/s 5 Security policy of ISO/IEC 27002 Main Subsidiary 6 Infosec governance 7 Asset mgmt
Nature of metric
Alternative metrics considered
8 HR
12 SDLC
9 Physical security
13 Incident mgmt
10 Comms/Ops mgmt
14 Continuity mgmt 15 Compliance
11 Access control
Leading / Lagging / Semi Soft / Hard / Semi
Objective / Subjective / Semi Absolute / Relative (trend) / Semi Confidentiality Confidentiality / Integrity / Availability
Separately measure and report successful vs blocked accesses to unacceptable sites. Could be reported by department to department managers, allowing benchmarking comparisons.
Assu Assumes mes “acc “accep epta tabi bili lity ty” ” of webs websit ites es has has been been defi defin ned in poli policy cy and and web web filt filter erin ing g so soft ftw ware are Notes conf config igur ured ed acco accord rdin ingl gly y. Also Also assu assumes mes tor and similar proxy sites are blocked (could usefully be monitored too!). Metric should improve with user awareness training and follow-up activities by management.
Title/name of metric Primary customer
Information source/s
How calculated Frequency
Rationale for measuring measuring this
Access to controlled facilities Facilities management, CIO Card access control system logs #unsuccessful / #successful access attempts to controlled areas Daily collection, monthly reporting If people are “rattling the doorlocks”, attempting access to controlled areas, this indicates a lax attitude towards physical security.
4 Risk mgmt Relevant section/s 5 Security policy of ISO/IEC 27002 Main Subsidiary 6 Infosec governance 7 Asset mgmt
Nature of metric
Alternative metrics considered
8 HR
12 SDLC
9 Physical security
13 Incident mgmt
10 Comms/Ops mgmt
14 Continuity mgmt 15 Compliance
11 Access control
Leading / Lagging / Semi Soft / Hard / Semi
Objective / Subjective / Semi Absolute / Relative (trend) / Semi Confidentiality / Confidentiality / Integrity / Availability
Reports of unauthorized visitors
Further urther analy analysis sis of failed failed access accesses es may may indica indicate te systematic issues such as people not having the correct access rights, using shared cards etc. Notes Should be coupled with analysis of successful accesses to secure areas (e.g. confirming that all who access the area should in fact have that level of access).
Title/name of metric Primary customer
Information source/s
Security clearance lag time HR Manager, Information Security Manager, CIO HR system
Average Average #working days between approval of appointment and security clearance being granted How calculated or denied for new employees during the reporting period Frequency
Measured and reported quarterly
If employees are appointed “pending full clearance”, the longer it takes to complete the Rationale for police checks the greater the exposure to fraud, measuring measuring this theft or other criminal acts by unsuitable employees. 4 Risk mgmt Relevant section/s 5 Security policy of ISO/IEC 27002 Main Subsidiary 6 Infosec governance 7 Asset mgmt
Nature of metric
Alternative metrics considered
8 HR
12 SDLC
9 Physical security
13 Incident mgmt
10 Comms/Ops mgmt
14 Continuity mgmt 15 Compliance
11 Access control
Leading / Lagging / Semi Soft / Hard / Semi
Objective / Subjective / Semi Absolute / Relative (trend) / Semi Confidentiality Confidentiality / Integrity / Availability
#employees pre-cleared/#appointed without clearance
Might be interesting to breakdown or analyze the figures according to the nature of job role ( e.g. if appo appoin intm tmen ents ts to high highly ly resp respon onsi sibl ble e posi positi tion ons s Notes require express clearance). Process delays outside the organization’s control will heavily influence this metric, although process improvements may help.
Title/name of metric Primary customer
Information source/s
Proportion of security incidents Information Security Manager, CIO, CEO & Board IT Help/Service Desk call logging & tracking system,
#security incidents / #all incidents reported in reporting period Weekly (ISM), Monthly (CIO), quarterly (CEO & Frequency Board)
How calculated
Rationale for measuring measuring this
We would expect security awareness activities to drive up the reporting of security incidents
4 Risk mgmt Relevant section/s 5 Security policy of ISO/IEC 27002 Main Subsidiary 6 Infosec governance 7 Asset mgmt
Nature of metric
8 HR
12 SDLC
9 Physical security
13 Incident mgmt
10 Comms/Ops mgmt
14 Continuity mgmt 15 Compliance
11 Access control
Leading / Lagging / Semi Soft / Hard / Semi
Objective / Subjective / Semi Absolute / Relative (trend) / Semi Confidentiality / Integrity / Availability
Other security awareness metrics e.g. proportion of employees that have completed some form of Alternative metrics security awareness training during the period, or considered have signed their acceptance of security policies and related obligations. Would require care to ensure that security-related incidents are correctly categorized by the Help Notes Desk. Does not take account of the differing severity of security incidents.
