IVI Framework Viewer

Security Performance Measurement

A7

Monitor and report on the effectiveness/efficiency of the information security principles, policies, controls, strategy, and activities.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Security Performance Measurement at each level of maturity.

2Basic
  • Practice
    Start to measure information security performance, and identify deficiencies and corrective actions.
    Outcomes
    • There is growing understanding of the effectiveness of security measures.
    • Some corrective actions, for which funding and resourcing exists, can be implemented.
    Metrics
    • # of security issues identified.
    • % of security issues for which corrective actions are identified.
    • % of security issues for which corrective actions are implemented.
3Intermediate
  • Practice
    Align information security performance measurement with industry norms, and identify and implement corrective actions more proactively.
    Outcomes
    • Stakeholders receive an ‘at a glance’ view of security status, and understand the effectiveness of security measures.
    • Corrective actions are implemented more proactively.
    Metrics
    • # of security issues identified.
    • % of security issues for which corrective actions are identified.
    • % of security issues for which corrective actions are implemented.
4Advanced
  • Practices
    • Ensure information security performance measurement supports both real-time and historical statistical analysis.
    • Identify and implement prompt, appropriate, and cost effective corrective actions.
    Outcomes
    • Measurement enables transparent comparisons and detailed statistical analysis.
    • Corrective actions are appropriate and cost effective.
    Metrics
    • # of security issues identified.
    • % of security issues for which corrective actions are identified.
    • % of security issues for which corrective actions are implemented.
5Optimized
  • Practices
    • Ensure information security performance measurement supports real-time, historical, trend, variance, profiles, and variances from profiles analysis.
    • Enable appropriate corrective actions to be triggered semi-automatically.
    Outcomes
    • Measurement enables transparent comparisons and more extensive statistical analysis.
    • Acceptable, unusual, or deviant performance measures are easily detected, and corrective actions are appropriate, cost effective, and efficiently implemented.
    Metrics
    • # of security issues identified.
    • % of security issues for which corrective actions are identified.
    • % of security issues for which corrective actions are implemented.