IVI Framework Viewer

Security Performance Reporting

A5

Report on the effectiveness and efficiency of information security policies and activities, and the level of compliance with them.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Security Performance Reporting at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of staff.
    Outcome
    The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
    Metric
    # Customer in/consistency complaints/accalaids.
2Basic
  • Practice
    Start to measure security performance of key security activities within IT using basic metrics.
    Outcome
    There is increasing understanding of the effectiveness of security measures.
    Metric
    # of security issues identified # of security reports including basic information on costs, measures and incidents
3Intermediate
  • Practice
    Evaluate the effectiveness and efficiency of selected information security activities and report to IT and some business units.
    Outcome
    Stakeholders gain understanding of security and can help to align security measures with business needs, priorities and budgets. Stakeholders receive an 'at a glance' view of security trends and status.
    Metric
    # of security objectives met against targets # of security reports including trend information, and business impact of security activities and incidents
4Advanced
  • Practice
    Evaluate the effectiveness of organization-wide information security activities and measure key activities for efficiency.
    Outcome
    Reporting covers the complete organization enabling comparisons and adjustments as necessary and reducing risk of weak links.
    Metric
    # of security objectives met against targets # of security reports including trend information, and business impact of security activities and incidents
5Optimized
  • Practice
    Evaluate, report and optimize the effectiveness and efficiency of information security activities regularly across the business ecosystem.
    Outcome
    The organization and its key suppliers are confident they are securing business assets; shared knowledge helps to ensure up-to-date and appropriate security across the business ecosystem.
    Metric
    # of security objectives met against targets; # of security reports including trend information, and business impact of security activities and incidents