You will need to define what an incident is and keep track of your Incidents.
You will need to address incidents with corrective actions and dive into the root cause to define how you will prevent it in future.
You will need to keep track of your service levels – defined in your SLA with customers.
Security Metrics are ‘KPIs’ defined to check if the information security management system is working effectively.
Security Metrics are defined and monitored in Compleye Online – section Measure & Controls.
Security metrics are divided into 2 subsections:
1. Metrics Definition
2. Metrics Values
1. Metric Definition
- Security metrics are defined by ISMS Team
- For each X-ray component we define at least 1 security metric
- Check your SLA and add the quality service levels (eg server down time) to this list
- Check your Monitor procedure and add your defined incidents to this overview.
- A stolen/lost laptop is a security incident
- Unauthorized access in certain environment are incidents
- Data Breaches should be on your list as well
Define a security metric:
- Security metric [give the metric a name, once defined you cannot change it- A security metrics is measurable – and will be defined with a round number]
- X-Ray Component [select the component where the metric will have impact on – you can only make use of the pre-defined X-Ray Components – in section IT Infrastructure X-Ray]
- Owner [assign the team member that will be filling in the value of the metric]
- Definition [describe very practical what the metrics are about.]
- Acceptable level (KPI) [define how many of these metrics you will accept as a company per month, year?]
- Security incident [choose if the metric is per definition an incident]
- Type [if not a security incident, you can select another type of incident]
- It is possible to change the metrics (definition) – activity log will track the changes.
Review definition of Security Metrics:
The metric definition will be reviewed at least on a yearly basis. The ISMS Team will review the metrics during a security Meeting. Make sure you assign a control for this and involve the owner of the metric. In section Operations | Security Meetings – you can make notes if you change the definition of security metrics. Make sure you will never change the security metrics alone.
2. Metric Values
The metrics will need to be controlled on a regular interval. We advise to monitor every month the metrics – by adding values. Make sure the owners are aware to fill in the metric value.
How to add Metric Values
Next to Metrics Definition, there is Metric Value option. In the overview the following information is shared:
- X Ray Component
- Security Metric (definition)
- Acceptable Level (KPI)
You are able to add a new month to the overview. First you add a month, automatically all the metrics are shown. Add for each metric a value [fixed number] Make sure you add values to all metrics [0 or higher] If you add a value >0 – it is mandatory to add more information: Incident report [link to eg you own environment with response ticket or CAPA Procedure] This is a mandatory field. Per value you can add a separate link to security report [add ne incident report] You can also upload a separate document. The last box you can fill in are notes – you can add general or specific notes to this overview. [eg to be used during security meeting]
How to review the Metric Values
- Plan a security meeting with your ISMS Team, to discuss the values if needed (eg if they exceed the acceptable level and to check if metrics have been added)
- In section Operations | Security Meetings – you can make notes when discussing the security meetings and assign call to actions to team members if needed.
Metrics Definition – Add New
|Field||Value / Description||Example|
|Security Metric||free text field – add name of the metric you would like to add and measure|
|X-Ray Component||select from drop down list which component of your X-Ray refers to|
|Owner||select from drop down list who from your team is responsible for the performance on this metric|
|Definition||free text field – describe the metric|
|Acceptable Level (KPI)||free text field|
|Security Incident||select the button yer or no, indicating whether the metric is considered to be an incident or not|
|Type||select from the drop down list whether the metric belongs to Security, Quality or GDPR measures|