1.0 Objective :
To define a System for setting of Information Security Objectives/Key Performance Indicators (KPIs) and monitoring them for achievement.
2.0 Scope :
Relates to Objectives/KPIs related to Information Security for all the key functions of XXX
3.0 Responsibility:
- CISO
- Department Heads
4.0 Procedure:
Setting of Objectives /Key Performance Indicators
Management of XXX shall set yearly Information Security Objectives/KPIs for all the Departments . Department Heads sets own objectives based upon the risk assessment . The Information security objectives /KPIs fall into 5 broad categories :
- IT and business alignment
- Information security risk management process
- Compliance processes
- Awareness process
- Audit processes
It is ensured that the Objectives are in line with the Corporate policy for Information Security Management.
Information Security Objectives for departments
The Department Head of each section/department sets up Information Security Objectives and are communicated to all the key members of the team. Defined objectives cover:
- Measurable targets
- Time frame to achieve the targets
- Plan of action for achievement of the Objectives.
Monitoring of Objectives
Monitoring of Objectives is done by Department Heads and the frequency of review is set by the Department Head , for each objective / KPI and are usually half-yearly. The achievement of Objectives is reviewed on a six monthly basis and are recorded in the Objectives Review Report . The objectives review details are consolidated and discussed in the Management Review Meeting attended by the higher Management.
5.0 Records:
- Objectives and their Review Records ( F-08)
- Management Review Meeting Minutes. ( F-10)
6.0 References:
Nil
Example of Objective
1. IT and business alignment
| Objective | Method/sources | Targets | Justification | Findings | Justification | Action plans |
| % of business strategic goals and requirements supported by information security strategic goals and decisions. | Review business strategic decisions and ensure that they have been risk-assessed in relation to IT and information security issues. Likewise all major information security strategic decisions should be reviewed and approved by upper management to ensure alignment with business services and strategies. | 100% | All business decisions need to be supported by IT decisions and specifically information security issues. If not relevant, this needs to be documented and approved as part of the project phase. | 50% | Our latest outsourcing and IT procurement decisions have not been aligned with our IT strategy and specifically not with information security requirements. | Ensure that IT requirements are mandatory on the agenda and all relevant information security requirements and potential issues are identified and addressed. |
| Level of business (stakeholders) satisfaction with offered information security services and internal support. Does information security bring value to the stakeholders? | Data collected through interviews or survey forms sent to relevant stakeholder of each business unit, business process or similar. | High | Our baseline is above average e.g. high level of satisfaction with offered information security services (scale going from low over medium, high, to excellent). | High | Compared to last year we have increased the level of satisfaction from medium to high. | No action plans |
| Percentage of executive management roles with clearly defined accountability for information security decisions. | Review job roles and descriptions to ensure that responsibility and accountability has been defined and communicated. | 80% | It’s important that management and, in particular, business unit owners and IT-systems owners have clearly defined roles and accountability. We are planning to increase the numbers from 50% to 80% this year and next year ensure 100% coverage. | 85% | We are on target this year with 85% | No action plans |
| % of changes to the information security strategy that is approved by management. | Review current information security strategy or major information security strategic decisions and ensure that management has formally approved them. | 100% | All information security strategic decisions need to be approved by management. | 75% | Some IT-strategic decisions to outsource critical IT-systems during 2022 were not risk assessed or approved by management. | Ensure that all major IT-strategic decisions are management approved. Establish some baseline requirements for management approval. For example: 1) Critical IT-services 2) Sensitive data? 3) Specific information security issues 4) Budgetary scope 5) Conflicts with business strategies |
2. Information security risk management process
| Objective | Method/sources | Targets | Justification | Findings | Justification | Action plans |
| % of business processes and their-services covered by the risk management process. | Interviews and correlation with management. | 50% | Depending on current maturity level of an organisation it could be all or only some of the business processes/IT-services. Extending coverage could be part of a maturity process. | 40% | Four critical business processes have not been subjected to a BIA | We need to find out if it’s a resource problem or poor risk planning |
| % of approved risk treatment plans actually being implemented compared to last risk assessment. | Correlate with previous risk assessment reports. | 100% | We need to ensure that proposed and approved risk treatment plans are carried through and not forgotten or “saved for later”. | 60% | Only 60% of the approved action plans have been implemented this year. This is a drop on 20% compared to last year. | Training of risk treatment to the team. Identify the root cause for e.g. is it financial issue, lack of ownership or other factors. |
| Are significant organisational or technological changes being reflected in the latest risk assessment? | Interview and review of risk assessment reports. | 100% | All major technological shifts (IT- procurement, investments, outsourcing, etc.) need to be reflected in the IT-risk assessment. | 100% | Our use of cloud outsourcing services and the approval of BYOD has been included in the IT-risk assessment. | No action plans |
| % of IT budgets used to manage IT risk management processes.This requires information security spending to be documented | Correlate total man-hours spent on risk assessment process with total IT-budget. | No value | Target could be just to track spending on IT-risk management processes. The metric doesn’t necessarily need to define a maximum % of IT budget or information security budget. | 15% | Budgets and time spend on the IT-risk assessment process have increased 15% since last assessment. | Further analysis needs to be done. Causes can range from: 1) Changes in the methodology 2) Resource issues 3) Increase in number of identified risks (correlate with other metrics) |
| Number of new threats and risks identified compared to previous risk assessment. | Compare total numbers of risks/vulnerabilities, and/or criticality level with previous IT-risk assessments. | 0 | We need to reduce our risk posture and ensure that prior risks and vulnerabilities don’t reoccur. | 7 | The total number of critical risks/ vulnerabilities is slightly increasing, but the number of recurrent risks/ vulnerabilities has decreased, which indicates that we have effectively addressed prior IT-risk assessment identified risks. | Further analysis needs to be done. Causes can range from: 1) Changes in the methodology 2) Resource issues 3) Increase in number of identified risks (correlate with other metrics) |
| Tracking changes to risk appetite. Does it increase or decrease? Can we correlate it to strategic, organisational or financial decisions? | Look at changes to risk threshold. Arguments for rejections and approvals of action plans would also be a source. Correlate that with strategy changes, technology changes, security incidents, organisational changes, etc. | No change | Changes to risk appetite should be recorded as part of management reporting along with explanation of possible reasons. | Decrease | Our risk appetite has decreased this year compared to last year. | Analyse why risk appetite has changed. |
| Level of satisfaction with risk outcome from business perspective. This could be the risk outcome from the BIA, vulnerability assessment or action plans. The business needs to review the quality and output of the BIA to ensure data is correct. Measurement scale: not satisfied, acceptable or very satisfied. | Interviews or self-assessment questionnaire. | Very Satisfied | We need a high level of satisfaction (very satisfied) with the risk results from the BIA’s and vulnerability assessments. | Acceptable | Input from business owners, system owners and IT operations suggest that the results were not aligned with their expectations. There were too many errors in the assessments and especially in relation to the maturity assessment of IT- controls. | We need to ensure that the people performing the risk assessment are adequately competent and internal review of results must be done before final reporting. |
3. Compliance processes
| Objective | Method/sources | Targets | Justification | Findings | Justification | Action plans |
| Number of non-compliance issues and derived costs per year (e.g. external requirements, policies and procedures) | Reviewing end-of-year reported incidents including major external audit findings | 0 | No major non-compliance issue with either financial or image impact. | 1 | We had a data breach by our outsourcing vendor | Review relevant IT-security processes and vendor contract. |
| Time between identification of non-compliance and implementation of fixes. Helps identify problems with the efficiency of the compliance process. | Correlate time of reported non-compliance issues of security incidents with actual implementation time. | 0 cases | Depending on the complexity, the issue needs to be addressed within two working days. | 2 Case | We had two incidents that still haven’t been resolved. | We need to evaluate the effectiveness of the internal compliance department. Do we need to restructure the process? Are there any resource constraints or internal opposition? |
| Costs for fixing non-compliance issues such as administrative work in relation to fixing the problems (process optimization, procedures, policies or IT controls). | Review total costs associated with fixing non-compliance with annual IT-budget. | 20% (max) | Under normal circumstances, there is a maximum of 20% of IT-budgets allowed for addressing security related issues. | more then 20% | Costs relating to non-compliance issue exceed the 20% limit. This includes performing a new pen-test and reworking of policies with the assistance of external consultants. | Has a business case and cost-benefit analysis been performed? Who has reviewed and approved the spending? |
| Total costs due to reputation loss, financial fines, loss of clients, etc.) Per compliance incident. | Review total impact costs associated with compliance issue. | 0% | Recording the total cost and comparing this with last year. The target is not to have an increase in costs, but a decrease. | Reduction by 15% | Total cost associated with this year’s compliance incidents has decreased by 15 % and there was 1 less incident. | No action plans |
4. Awareness process
| Objective | Method/sources | Targets | Justification | Findings | Justification | Action plans |
| % deviation when comparing established success factors for awareness campaigns with the results of implemented campaigns. | Comparing results from awareness/ training program with results of physical audits or employee quizzes/tests. | 80% | he goal was to ensure that minimum 80% completed the test/quiz following the campaign. Physical inspection of work areas shows a significant decrease in physical sensitive work paper, unlocked workstations, USB devices, etc. | 60% | Less than 60% answered correctly on the mobile device policies and use of cloud-services. During our internal audit, we discovered unlocked workstations and customer-sensitive documents lying in the printer room. | We need to re-evaluate the way we present the message. Perhaps we can make it more story-driven and be better at using the intranet. |
| Are awareness plans/ strategies/sessions/courses, etc. aligned with information security risks currently of concern to the organisation? | Correlate awareness/training programs and strategy with current risk posture (results from risk assessment, external requirements, security incidents, technological changes, audits, etc.). | Yes | There needs to be a direct link between focus-areas of awareness/training and current risk posture. | No | The awareness strategy has been arbitrarily chosen more based on security trends and media talk than actual risks relevant to the organisation. | We need to ensure that it’s derived from relevant risks to our organisation. |
| % of IT users who have visited the security awareness intranet site so far this month. | Document the monthly visit rate on the information security section of the intranet. | 70% | Our average visit rate must not fall below 70%. | 90% | The last update with the malware alert was seen by 90% of IT-employees | No action plans |
| Cost-effectiveness of the awareness and training program E.g. can we detect a reduction in security incidents with financial impact, impact to intangibles (image/reputation). | Compare security incident before/ after awareness/ training efforts. This could also include physical observations of related employee behaviour, number of support calls or input from network security (IDS, IPS, content filtering or policy violations). Other sources: Results from audits. | Decrease | We must be able to detect a reduction in security incidents following our awareness/training programs. | Decrease | All approved follow-up plans have been implemented. | No action plans |
| Retention of key awareness messages % of employees that remember awareness messages. Can be measured by doing tests/quizzes on prior awareness campaign themes. | Compare results of tests performed a short time after completion to test run after a longer period of time e.g. 2- 6 month. | 60% | Success rate of 60% of employees remembering prior awareness/training themes. | less then 50% | The knowledge of the topics drops dramatically after 6 months, compared to tests run after completion of awareness training. | We need to maintain awareness and knowledge on important security themes by increasing the frequency of awareness initiatives. |
