Metrics from Extended Network

Wiki > Metrics from Extended Network

Initially, Information Security only measures the effectiveness of information security within the Information Technology domain however in order to continue with the maturity journey, this effort must be planned to eventually expand to the entire organisation.

Procedures should be instated in a scaleable fashion to organically grow to measure the entire enterprise effectively with Cybersecurity teams relying on the support of several areas/departments to obtain information to calculate security metrics.  This comes in the form of reports from other areas of the business which are developed in coordination with Cybersecurity.  

Types of Reports

The reports may not have a defined form; therefore they can be verbal or written, paper or electronic and are provided every month

Human Resources (HR) Report

This monthly report is aimed to be sent by the Human Resources Administrator to a Cybersecurity Analyst.  In the report, the Human Resources Administrator sends information that details (on a monthly basis):

  • Number of total signed Code of Conduct forms
  • Number of new employees that have started each month
  • Number of new signed Code of Conduct forms
  • Number of signed Code of Conduct forms by non-employees
  • Number of job descriptions with security responsibilities

Information Technology (IT) Report

This group includes Mainframe Operations, Distributed Systems, and Network Integration Services and the monthly report is sent to a Cybersecurity Analyst by designated Information Technology employees.  In the report, Information Technology sends information that details:

  • A report of the IT budget and the Security Budget (From IT Budget Manager)
  • Changes to the list of information assets that IS maintains, (including application/system owners, changes in information asset classifications, new information assets, etc)
  • Number of modems in the IT environment
  • Number of failed authentication attempts to critical systems
  • Date when system access for terminated employees was removed
  • Date of non-employees’ last day of service
  • Date when system access of terminated non-employees was removed
  • The date that new employees and non-employees need system access
  • The actual date that access was granted for employees and non-employees
  • Number of employees with privilege operating system access
  • The number of developers with logical access to the production areas in distributed systems

Security Point of Contact (SPOC) Report

This monthly report is sent to the Cybersecurity Analyst by the SPOCs.  This report helps the Security Analyst in calculating many metrics.  In the report, each SPOC sends information that details:

  • Number of signed code of conduct forms
  • Number of new employees that have started each month
  • Number of new signed code of conduct forms
  • Number of signed CCG forms by non-employees
  • Changes to the list of information assets that IS maintains, (including application/system owners, changes in information asset classifications, new information assets, etc)
  • Number of job descriptions with security responsibilities
  • Number of modems in the SPOC’s environment
  • Number of failed authentication attempts to critical systems
  • The number of nodes that are not in compliance with Anti-Virus Standards
  • Number of failed remote authentication attempts
  • Date when system access for terminated employees was removed
  • Date of non-employees last day of service
  • Date when system access of terminated non-employees was removed
  • The date that new employees and non-employees need system access
  • The actual date that access is granted for employees and non-employees
  • Number of non-compliant user passwords for each distributed system
  • Number of employees with privilege OS access
  • Number of developers with logical access to the production areas
  • A qualitative assessment of implemented physical and environmental controls, anti-virus update procedure controls, and business continuity management for critical business processes

Communications Report

This monthly report is sent to a Cybersecurity Analyst by the Communications Manager.  In the report, the Communications Manager sends information that details the number of egress points at the company.

Business Application Owners Report

This monthly report is sent to the Cybersecurity Analyst by the Business Application Owners.  In the report, the Business Application Owners send information that details:

  • Number of failed authentication attempts to critical business applications
  • Date when system access of terminated employees was removed
  • Date of non-employees’ last day of service
  • Date when system access of terminated non-employees was removed
  • Date that new employees/ non-employees need system access
  • The actual date that access is granted for new employees/non-employees
  • Number of non-compliant user passwords for each application
  • The number of developers with logical access to the production areas in distributed systems

Company’s Police Department Report

This monthly report is sent to the Cybersecurity Analyst by the Police Department’s chief administrator.  In the report, the information details the number of equipment thefts, laptop, mobiles, tablets, etc., that have occurred over the last month.

Internal Audit Report

This monthly report is sent to the Cybersecurity Analyst by Internal Audit.  In the report, Internal Audit sends information that details:

  • Number of audits that Internal Audit has performed
  • Number of unacceptable audit reports
  • Number of vulnerabilities ranked by type and severity for each critical Information Asset
  • A qualitative assessment of implemented physical and environmental controls, anti-virus update procedure controls, and business continuity management for critical business processes.