Security Metrics

Restricted

Information Security Metrics Legend

Ratings Legend Score

0 - 1.0 1.01 - 2.0 2.01 - 3.0

Description
Needs attention / improvement. Not achieving acceptable results in this area. Achieving some results in this area, but needs to be monitored. Achieving acceptable results in this area.

ASSUMPTIONS FOR METRIC MEASUREMENTS

1

For the metrics measurement where the total population size is large, it is assumed that a sample of the tot population will be audited every quarter. The sampling will be done on a random basis and will be the sole discretion of the auditor. For metrics where the answer is a simple 'yes'/'no', ('0' shall be used to indicate 'no' and '1' shall indicate yes). Metric scores shall be calculated as either '1' (red) or '1' (green) and no intermediary scores are considered

The upper and lower threshold values have been indicated based on the assessment of the current environment and the targets that XYZ has set for its business in the information security policy.

Legend

Information Security Metrics Legend

Ratings Legend Color

NS FOR METRIC MEASUREMENTS

where the total population size is large, it is assumed that a sample of the total quarter. The sampling will be done on a random basis and will be the sole

s a simple 'yes'/'no', ('0' shall be used to indicate 'no' and '1' shall indicate culated as either '1' (red) or '1' (green) and no intermediary scores are

values have been indicated based on the assessment of the current at XYZ has set for its business in the information security policy.

Legend

Information Security Metrics Executive Summary

Information Security Metrics Domains

1. Information Security Policy 2. Organization of Information Security 3. Asset Management 4. Human Resources Security 5. Physical & Environmental Security 6. Communications & Operations Management 7. Access Control 8. Information systems acquisition, development and maintenance 9. Information security incident management 10. Business Continuity Management 11. Compliance Quarter 1 1.75 2.35 2.50 1.50 1.94 2.15 2.60 2.00 2.00 3.00 3.00 Quarter 2 #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF!

Ratings
Quarter 3 #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF! Quarter 4 #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF! #REF!

Executive Summary

XYZ Information Security Metrics

Domain / Sub-Domain / Metric 1.0 Information Security Policy
Information security policy document Number of new joined employees who have signed the declaration form vs. total number of new joined employees in XYZ ( since the last audit) Review of the information security policy Time in months since last review of the information security policy Time in months since last information security audit (internal or external) Weightage Lower Threshold Upper Threshold Metric Value Metric Score SubDomain Score Domain Score

100%
50% 100% 50% 50% 50% 2 75% 100% 90% 2 1.5 12 3 14 6 14 4 1 2

1.75

2.0

Organization of Information Security

Information security co-ordination Time in months since last Security Management Meeting was held Number of actionables from previous meetings closed vs. total number of actionables Contacts with Authorities Time in months since last review of contact list with authorities Contacts with Special Interest Groups Contacts maintained with special interest groups Independent review of information security Time in months since last review of information security Identification of risks due to third parties Number of third party risk assessments performed versus the number of third party contractors onboarded

100%
30% 50% 50% 15% 100% 15% 100% 30% 100% 10% 100% 2.5 1 50% 3 0 3 75% 2 80% 6 1 6 100% 2 81% 3 1 4 75% 2 3 3 3 3 3 2 2 1 1

2.35

3.0

Asset Management
Accountability for Assets Number of departments which updated their asset inventory in the last quarter vs number of departments reviewed Information Classification Number of information assets(electronic files and hardcopies) that have been classified vs total number of information assets reviewed

100%
50% 100% 50% 100% 2 75% 100% 85% 2 3 50% 75% 80% 3

2.50

4.0

Human Resources Security

Prior to employment Number of employees whose BGC report was obtained within 60 days or there was a management approval for their continuation vs total number of new employees that joined XYZ in the last quarter. User Training Number of planned security user awareness trainings vs. actual trainings held Number of XYZ employees that attended security awareness training during induction vs total number of employees that joined XYZ in last quarter. Removal of Access Rights Number of leavers( employees/ third party) for which requests for removal of access rights were sent vs total number of separating employees in the last quarter Number of internal transfers cases for which NURF recorded deletion of former access rights versus total number of transfer cases.

100%
30% 100% 2 75% 100% 88% 2

1.50

30% 70% 30%

1 75% 75% 100% 100% 50% 50% 1 1

40% 50% 50%

1.5 75% 75% 100% 100% 50% 88% 1 2

5.0

Physical & Environmental Security

Physical Entry Controls Number of third party that were provided access post signing of NDA vs total number of third party contracts signed in the last quarter. Reconciliation of accounts in access control system performed with business (floor) owners.

100%
20% 50% 50% 2.5 75% 0 100% 1 88% 1 2 3

1.94

Protecting against external and environmental threats Time since last fire drill conducted Public access, delivery and loading areas Registers for incoming and outgoing shipments appropriately maintained and signed off Supporting Utilities Records for incidents of failure of supporting utilities viz. electricity, water supply, sewage, heating/ventilation, and air conditioning properly maintained Equipment Maintenance Maintenance carried out as per Preventive Maintenance schedule maintained for supporting utilities Maintenance carried out as per Preventive Maintenance schedule maintained for IT equipments Disposal/ Removal of Equipments Records maintained for safe disposal/ removal of equipments

20% 100% 10% 100% 20% 100%

1 1 2 2 1 1 0 1 0 1 3 0 1 0 3

20% 20% 20%

1.2 0 0 1 1 1 1 3 3

10% 100%

3 0 1 1 3

6.0

Communications & Operations Management

100%

2.15

Quarter1

XYZ Information Security Metrics

Domain / Sub-Domain / Metric
Change Management SAP Application Number of completed change ticket records vs. total number of changes made IT Infrastructure Number of completed change ticket records vs. total number of changes made Intranet Application Number of completed change ticket records vs. total number of changes made Third Party Service Delivery Management Monitoring of services provided by third party service providers being done through dashboards/service reports System Planning and Acceptance Number of critical systems (e.g. servers, network equipments) tested before being installed vs total number of new critical systems installed in the last quarter at XYZ Protection against malicious and mobile code Number of nodes without the latest virus definitions vs. total number of nodes audited Information Back-up Back-up performed in consonance with the back-up schedule defined Number of times successful back-up restoration achieved vs number of restoration trials Network Controls Number of network incidents reported to XYZ UK versus number of incidents resolved in last quarter Media Handling and Security Existence of computers with media access enabled without proper permission Fault Logging Number of systems where fault logging is enabled vs total number of production systems Weightage 25% 30% 40% 30% 10% 100% 75% 75% 75% 100% 100% 100% 35% 90% 35% 1 2 1 3 0 1 1 3 Lower Threshold Upper Threshold Metric Value Metric Score SubDomain Score 1.4 Domain Score

5% 100%

2 80% 100% 90% 2

10% 100% 25% 50% 50% 10% 100%

1 5% 10% 15% 1 3 0 80% 1 90% 1 95% 3 3 2 50% 75% 67% 2

5% 100% 10% 100%

3 0 1 1 3 2 75% 100% 80% 2

7.0

Access Control
User Access Management Existence of domain IDs of separated employees Users Responsibilities Number of users aware if IS policies and procedures such as password policy,clear desk and clear screen, etc vs number of users interviewed Network Access Controls Number of vulnerabilities adressed by IT vs number of vulnerabilities identified in the last vulnerability assesment Operating System Access Control User Accounts created without proper approvals Application Access Control Existence of administrative privileges to Developers in Production Environments Existence of IDs of separated employees in SAP

100%
30% 100% 10% 100% 3 0 1 1 3 3 5% 10% 4% 3

2.60

20% 100%

2 50% 75% 66% 2

20% 100% 20% 50% 50%

3 0 1 1 3 2 0 0 1 1 0 1 1 3

8.0

Information systems acquisition, development and maintenance

Control of operational software Percentage of systems with unauthorized software vs total number of systems reviewed Control of technical vulnerabilities Percentage of machines not carrying latest patches vs total number of systems reviewed

100%
50% 100% 50% 100% 1 0% 10% 11% 1 3 10% 30% 5% 3

2.00

9.0

Information security incident management

Security Incident Reporting & Handling Percentage of security incidents reported but not closed in the month

100%
100% 100% 2 10% 25% 13% 2

2.00

10.0

Business Continuity Management

BCM Business continuity plans are updated and test drill records are available

100%
100% 100% 3 0 1 1 3

3.00

11.0

Compliance
Identification of applicable legislation List of applicable legislations last reviewed

100%
10% 100% 3 6 12 6 3

3.00

Quarter1

XYZ Information Security Metrics

Domain / Sub-Domain / Metric
Organizational records Updation of the archival records tracker in the last qaurter Technical Compliance Checking Vulnerability Assesment carried out in last quarter Weightage 40% 100% 50% 100% Lower Threshold Upper Threshold Metric Value Metric Score SubDomain Score 3 Domain Score

3 3

Quarter1