Security Performance Reporting
Report on the effectiveness and efficiency of information security policies and activities, and the level of compliance with them.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Security Performance Reporting at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of staff.
- Outcome
- The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
- Metric
- # Customer in/consistency complaints/accalaids.
- 2Basic
- Practice
- Start to measure security performance of key security activities within IT using basic metrics.
- Outcome
- There is increasing understanding of the effectiveness of security measures.
- Metric
- # of security issues identified # of security reports including basic information on costs, measures and incidents
- 3Intermediate
- Practice
- Evaluate the effectiveness and efficiency of selected information security activities and report to IT and some business units.
- Outcome
- Stakeholders gain understanding of security and can help to align security measures with business needs, priorities and budgets. Stakeholders receive an 'at a glance' view of security trends and status.
- Metric
- # of security objectives met against targets # of security reports including trend information, and business impact of security activities and incidents
- 4Advanced
- Practice
- Evaluate the effectiveness of organization-wide information security activities and measure key activities for efficiency.
- Outcome
- Reporting covers the complete organization enabling comparisons and adjustments as necessary and reducing risk of weak links.
- Metric
- # of security objectives met against targets # of security reports including trend information, and business impact of security activities and incidents
- 5Optimized
- Practice
- Evaluate, report and optimize the effectiveness and efficiency of information security activities regularly across the business ecosystem.
- Outcome
- The organization and its key suppliers are confident they are securing business assets; shared knowledge helps to ensure up-to-date and appropriate security across the business ecosystem.
- Metric
- # of security objectives met against targets; # of security reports including trend information, and business impact of security activities and incidents