Strategy tree: IT Security MetricsCreation time stamp: 10.05.2006 0:16:49
Solution: Security audit with Strategy2Act software Learn strong and weak points of organization. Suggest possible ways to solve security problems. Response: Invest necessary means to integrate security costs into the system life cycle, check and approve system security plans for laptops
|
Vision tree: IT Security Metrics |
Strategy tree details: |
IT Security Metrics | Info | Score | Measure | Target | Risk Management | Risk Management measurements quantify the number of conducted system risk assessments and the degree of managerial involvement in the risk assessments procedures. | 30 | Security Plan | Security Plan metrics quantify the percentage of systems with approved system security plans and the percentage of current system security plans. | 7 of 12 | The percentage of systems with approved system security plans | 100% | Comment: 90% coverage, except some laptops and pocket pc computers | Security Controls | Security Controls metrics determine the efficiency of closing significant system weaknesses by evaluating the existence, the timeliness and effectiveness of a process for implementing corrective actions. | 6 of 18 | The time required for implementing corrective actions | 2 hours | Comment: Measured for spam fighting, it required about 1 hour to install patch for all systems. Consider time for other possible threats. | Contingency Planning | Contingency Planning measurements include the percentage level of critical data files and operations with an established backup frequency as well as the percentage of systems that have a contingency plan | 20 | Backup Frequency | Backup Frequency depends on changes frequency and data value | 10 of 14 | Backup frequency time period | 2-8 hours | Comment: We do backup two times a day | Incident Response Capability | Incident Response Capability metrics quantify the percentage of agency components with incident handling and response capability and the number of incidents reported to FedCIRC, NIPC, and local law enforcement | 6 of 6 | The number of components with incident handling and response capability | 80% of installed components | Comment: We need better reporting features for database | System Life Cycle | | 10 | OMB requirement | The percentage of systems that are in compliance with the OMB requirement for integrating security costs into the system life cycle | 0 of 6 | Systems with integrating security costs | 100% | Comment: Need to be integrated, in case of data or hardware problems we will save some money | Audit Trails | Audit Trails metrics quantify the percentage of systems on which audit trails provide a trace of user actions | 3 of 4 | Systems on which audit trails provide a trace of user actions | 90% | Comment: 100% audit is possible now only for customer support employees, should consider to add a policy for other employees | Personnel Security | Personnel Security metrics quantify the percentage of users with special access to systems who have undergone background evaluations. | 20 | Security Awareness | Security Awareness metrics concern with the percentage of employees with significant security responsibilities who have received specialized training. | 10 of 14 | Employees who have received specialized security training | 100% | Comment: The latest training date is March, 2006 | Authentication and Authorize Processing | Authentication and Authorize Processing measurements | 5 of 6 | Non-public data that is accessible after authorization | 100% | Comment: Most marketing materials are accessible without authorization, it's OK for our business | Data Integrity | Data Integrity metrics quantify the percentage of systems with automatic virus definition updates and automatic virus scanning and the percentage of systems that perform password policy verification | 20 | Logical Access Controls | Logical Access Controls metrics concern with the number of users with access to security software that are not security administrators | 8 of 4 | The number of users with access to security software that are not security administrators | 10% | Comment: We have about 20% of employees, it's a little more than it's really needed | Anti-virus and spyware protection | The number of systems protected with anti-virus, anti-spyware and firewall software | 10 of 16 | The number of systems protected with anti-virus, anti-spyware and firewall software | 100% | Comment: We have all computers with protection software installed | |
This report was generated by Strategy2Act - balanced score card support program.
Find more report templates on www.strategy2act.com