Information Security Program Metrics

In this story, we will look at the standards related to the information security metrics, how to establish the information security program metrics, discuss different audiences to consume those metrics, and look at the metrics for operational users and board of directors.

What is the Information Security Metric?

An information security metric is a measurable way to assess various aspects of an organization’s information security program, processes, and controls. In other words, track and evaluate the effectiveness of an organization’s security efforts. These metrics help organizations make informed decisions to protect their sensitive information and assets and mature their security posture. Information Security Metrics can cover a wide range of areas including- 1) Asset Inventory Management 2) Risk Assessment 3) Third Party Security Risk Management 4) Incident Response 5) Vulnerability Management 6) Patch Management 7) Access Control 8) Security Awareness 9) Endpoint Security 10) Network Security 11) Phishing and Social Engineering 12) Security Investment 13) Business Continuity and Disaster Recovery 14) Security Operations 15) Policy Management 16) Privacy DSARs 17) Cloud Security Metrics 18) Regulatory Compliance 19) Physical Security Metrics 20) Insider Threat Risk Metrics and more.

How to Establish the Information Security Program Metrics?

--

--

Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT
Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Written by Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.

No responses yet