IT Security Metrics strategy tree report


IT Security Metrics	Info	Score
Measure	Target
Risk Management	Risk Management measurements quantify the number of conducted system risk assessments and the degree of managerial involvement in the risk assessments procedures.	30

Security Plan	Security Plan metrics quantify the percentage of systems with approved system security plans and the percentage of current system security plans.	7 of 12
The percentage of systems with approved system security plans	100%	*Comment:* 90% coverage, except some laptops and pocket pc computers
Security Controls	Security Controls metrics determine the efficiency of closing significant system weaknesses by evaluating the existence, the timeliness and effectiveness of a process for implementing corrective actions.	6 of 18
The time required for implementing corrective actions	2 hours	*Comment:* Measured for spam fighting, it required about 1 hour to install patch for all systems. Consider time for other possible threats.
Contingency Planning	Contingency Planning measurements include the percentage level of critical data files and operations with an established backup frequency as well as the percentage of systems that have a contingency plan	20

Backup Frequency	Backup Frequency depends on changes frequency and data value	10 of 14
Backup frequency time period	2-8 hours	*Comment:* We do backup two times a day
Incident Response Capability	Incident Response Capability metrics quantify the percentage of agency components with incident handling and response capability and the number of incidents reported to FedCIRC, NIPC, and local law enforcement	6 of 6
The number of components with incident handling and response capability	80% of installed components	*Comment:* We need better reporting features for database
System Life Cycle		10

OMB requirement	The percentage of systems that are in compliance with the OMB requirement for integrating security costs into the system life cycle	0 of 6
Systems with integrating security costs	100%	*Comment:* Need to be integrated, in case of data or hardware problems we will save some money
Audit Trails	Audit Trails metrics quantify the percentage of systems on which audit trails provide a trace of user actions	3 of 4
Systems on which audit trails provide a trace of user actions	90%	*Comment:* 100% audit is possible now only for customer support employees, should consider to add a policy for other employees
Personnel Security	Personnel Security metrics quantify the percentage of users with special access to systems who have undergone background evaluations.	20

Security Awareness	Security Awareness metrics concern with the percentage of employees with significant security responsibilities who have received specialized training.	10 of 14
Employees who have received specialized security training	100%	*Comment:* The latest training date is March, 2006
Authentication and Authorize Processing	Authentication and Authorize Processing measurements	5 of 6
Non-public data that is accessible after authorization	100%	*Comment:* Most marketing materials are accessible without authorization, it's OK for our business
Data Integrity	Data Integrity metrics quantify the percentage of systems with automatic virus definition updates and automatic virus scanning and the percentage of systems that perform password policy verification	20

Logical Access Controls	Logical Access Controls metrics concern with the number of users with access to security software that are not security administrators	8 of 4
The number of users with access to security software that are not security administrators	10%	*Comment:* We have about 20% of employees, it's a little more than it's really needed
Anti-virus and spyware protection	The number of systems protected with anti-virus, anti-spyware and firewall software	10 of 16
The number of systems protected with anti-virus, anti-spyware and firewall software	100%	*Comment:* We have all computers with protection software installed

Strategy tree: IT Security Metrics