Security Performance Measurement
Monitor and report on the effectiveness/efficiency of the information security principles, policies, controls, strategy, and activities.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Security Performance Measurement at each level of maturity.
- 2Basic
- Practice
- Start to measure information security performance, and identify deficiencies and corrective actions.
- Outcomes
- There is growing understanding of the effectiveness of security measures.
- Some corrective actions, for which funding and resourcing exists, can be implemented.
- Metrics
- # of security issues identified.
- % of security issues for which corrective actions are identified.
- % of security issues for which corrective actions are implemented.
- 3Intermediate
- Practice
- Align information security performance measurement with industry norms, and identify and implement corrective actions more proactively.
- Outcomes
- Stakeholders receive an ‘at a glance’ view of security status, and understand the effectiveness of security measures.
- Corrective actions are implemented more proactively.
- Metrics
- # of security issues identified.
- % of security issues for which corrective actions are identified.
- % of security issues for which corrective actions are implemented.
- 4Advanced
- Practices
- Ensure information security performance measurement supports both real-time and historical statistical analysis.
- Identify and implement prompt, appropriate, and cost effective corrective actions.
- Outcomes
- Measurement enables transparent comparisons and detailed statistical analysis.
- Corrective actions are appropriate and cost effective.
- Metrics
- # of security issues identified.
- % of security issues for which corrective actions are identified.
- % of security issues for which corrective actions are implemented.
- 5Optimized
- Practices
- Ensure information security performance measurement supports real-time, historical, trend, variance, profiles, and variances from profiles analysis.
- Enable appropriate corrective actions to be triggered semi-automatically.
- Outcomes
- Measurement enables transparent comparisons and more extensive statistical analysis.
- Acceptable, unusual, or deviant performance measures are easily detected, and corrective actions are appropriate, cost effective, and efficiently implemented.
- Metrics
- # of security issues identified.
- % of security issues for which corrective actions are identified.
- % of security issues for which corrective actions are implemented.