Security Metrics

You will need to define what an incident is and keep track of your Incidents.
You will need to address incidents with corrective actions and dive into the root cause to define how you will prevent it in future.
You will need to keep track of your service levels – defined in your SLA with customers.

Security Metrics are ‘KPI’s’ defined to check if the information security management system is working effectively. 
Security Metrics are defined and monitored in Compleye Online – section Measure & Controls.
Security metrics are divided into 2 subsections:  1.  Metrics Definition  and 2.  Metrics Values 

1. Metrics Definition 

• Security metrics are defined by ISMS Team 
• For each X-ray component we define at least 1 security metric 
  
• Check your SLA and add the quality service levels (eg server down time) to this list 
• Check your Monitor procedure and add your defined incidents to this overview.
• A stolen/lost laptop is a security incident
• Unauthorized access in certain environment are incidents
• Data Breachs should be on your list as well

Define a security metric: 

• Security metric [give the metric a name, once defined you cannot change it- A security metrics is measurable – and will be defined with a round number] 
• X-Ray Component [select the component where the metric will have impact on – you can only make use of the pre-defined X-Ray Components – in section IT Infrastructure X-Ray] 
• Owner [assign the team member that will be filling in the value of the metric] 
• Definition [describe very practical what the metrics is about.]
• Acceptable level (KPI) [define how many of these metrics you will accept as a company per month, year?] 
• Security incident [choose if the metric is per definition an incident]
• Type [if not a security incident, you can select another type of incident]
• It is possible to change the metrics (definition) – activity log will track the changes.   

 
Review definition of Security Metrics: 

The metric definition will be reviewed at least on a yearly base.  
The ISMS Team will review the metrics during an security Meeting. 
Make sure you assign a control for this and involve the owner of the metric. 
In section Operations | Security Meetings – you can make notes if you change the definition of security metrics.  
Make sure you will never change the security metrics alone.  

 2. Metrics Values 

The metrics will need to be controlled on a regular interval.  
We advise to monitor every month the metrics – by adding values. 
Make sure the owners are aware to fill in the metric value.
 
How to add Metrics Values 

Next to Metrics Definition, there is Metric Value option. 
In the overview the following information is shared: 

• X-Ray Component 
• Security Metric (definition) 
• Acceptable Level (KPI) 

You are able to add a new month on the overview.  
First you add a month, automatically all the metrics are shown. 
Add for each metric a value [fixed number] 
Make sure you add values to all metrics [0 or higher] 
If you add a value >0 – it is mandatory to add more information: 
Incident report [link to e.g. you own environment with response ticket of CAPA Procedure] This is a mandatory field. 
Per value you can add a separate link to security report [add ne incident report] 
You can also upload a separate document.  
The last box you can fill in are notes – you can add general of specific notes to this overview. [e.g. to be used during security meeting] 
 

How to review the Metrics Values 

• Plan a security meeting with your ISMS Team, to discuss the values ​​if needed (eg if they exceed the acceptable level and to check if metrics have been added) 
• In section Operations | Security Meetings  – you can make notes when discussing the security meetings and assign call to actions to team members if needed. 

Metrics Definition – Add New