Percentage of Individual Screened Before Being Granted Access to Organizational Information and Information Systems
| Field | Data |
| Measurement ID | Information access of screened/non-screened individuals |
| Goal | Strategic Goal: Ensure that all personnel are kept to strict organizational expectations via a screening process
InfoSec Goal: Ensure the organization’s information assets are only assessable from employees who are deemed trustworthy and capable of following regulatory infosec expectations, rules, and policies |
| Measurement | Percentage of Individuals Screened Before Being Granted Access to Organizational Information and Information Systems |
| Measurement Type | Implementation |
| Formula | The number of employees who have been screened before having access granted to information and information systems in the past year, divided by the total number of employees, then multiplied by 100 |
| Target | 100 percent |
| Implementation Evidence | 1. What organizational information and information systems are present, and which are most used?
2. What organizational information and information are the most sensitive? 3. What organizational information and information systems require screening? Do all require screening? Yes/No 4. Are records kept regarding which employees have been screened? Yes/No 5. Is there a standardized screening process? Yes/No. Who is responsible for creating and performing the screen? 6. How many employees are there? How many employees have been screened in the past year? 7. Are employees continually screened at regular intervals? Yes/No 8. If personnel have information access, yet haven’t been screened, document all reasons that apply: a. Lack of infosec personnel b. Insufficient funding c. Insufficient time d. Type of info and info system doesn’t require screening e. The employee is a contract/temp (still should be screened, but a different test should be utilized as the info access they require will require further scrutiny) f. Other (specify) |
| Frequency | Collected as screening is performed and reported annually. |
| Responsible Parties | Information owner: Infosec
Information collector: Infosec Information customer: CSO |
| Data Source | Employee Security Screening |
| Reporting Format | Pie chart displaying the percentage of employees who have been screened prior to info and info system access versus those who have access, but have not been screened
If performance is below the targeted 100% screening, an additional pie chart will show all causes of failures |
References
Whitman, M. & Mattord, H. (2016). Management of Information Security (6th ed.). Boston, MA: Cengage Learning.
Categories: Security
Securing The Universe 