| IT Security Metrics | Description | Measure | Target | Score |
| | Risk Management | Risk Management measurements quantify the number of conducted system risk assessments and the degree of managerial involvement in the risk assessments procedures. | | | 30 |
| | | Security Plan | Security Plan metrics quantify the percentage of systems with approved system security plans and the percentage of current system security plans. Comment: 90% coverage, except some laptops and pocket pc computers | The percentage of systems with approved system security plans | 100% | 7 of 12 |
| | | Security Controls | Security Controls metrics determine the efficiency of closing significant system weaknesses by evaluating the existence, the timeliness and effectiveness of a process for implementing corrective actions. Comment: Measured for spam fighting, it required about 1 hour to install patch for all systems. Consider time for other possible threats. | The time required for implementing corrective actions | 2 hours | 6 of 18 |
| | Contingency Planning | Contingency Planning measurements include the percentage level of critical data files and operations with an established backup frequency as well as the percentage of systems that have a contingency plan | | | 20 |
| | | Backup Frequency | Backup Frequency depends on changes frequency and data value Comment: We do backup two times a day | Backup frequency time period | 2-8 hours | 10 of 14 |
| | | Incident Response Capability | Incident Response Capability metrics quantify the percentage of agency components with incident handling and response capability and the number of incidents reported to FedCIRC, NIPC, and local law enforcement Comment: We need better reporting features for database | The number of components with incident handling and response capability | 80% of installed components | 6 of 6 |
| | System Life Cycle | | | | 10 |
| | | OMB requirement | The percentage of systems that are in compliance with the OMB requirement for integrating security costs into the system life cycle Comment: Need to be integrated, in case of data or hardware problems we will save some money | Systems with integrating security costs | 100% | 0 of 6 |
| | | Audit Trails | Audit Trails metrics quantify the percentage of systems on which audit trails provide a trace of user actions Comment: 100% audit is possible now only for customer support employees, should consider to add a policy for other employees | Systems on which audit trails provide a trace of user actions | 90% | 3 of 4 |
| | Personnel Security | Personnel Security metrics quantify the percentage of users with special access to systems who have undergone background evaluations. | | | 20 |
| | | Security Awareness | Security Awareness metrics concern with the percentage of employees with significant security responsibilities who have received specialized training. Comment: The latest training date is March, 2006 | Employees who have received specialized security training | 100% | 10 of 14 |
| | | Authentication and Authorize Processing | Authentication and Authorize Processing measurements Comment: Most marketing materials are accessible without authorization, it's OK for our business | Non-public data that is accessible after authorization | 100% | 5 of 6 |
| | Data Integrity | Data Integrity metrics quantify the percentage of systems with automatic virus definition updates and automatic virus scanning and the percentage of systems that perform password policy verification | | | 20 |
| | | Logical Access Controls | Logical Access Controls metrics concern with the number of users with access to security software that are not security administrators Comment: We have about 20% of employees, it's a little more than it's really needed | The number of users with access to security software that are not security administrators | 10% | 8 of 4 |
| | | Anti-virus and spyware protection | The number of systems protected with anti-virus, anti-spyware and firewall software Comment: We have all computers with protection software installed | The number of systems protected with anti-virus, anti-spyware and firewall software | 100% | 10 of 16 |