Security

Security Performance Measure Example

Percentage of Individual Screened Before Being Granted Access to Organizational Information and Information Systems

Field Data
Measurement ID Information access of screened/non-screened individuals
Goal Strategic Goal: Ensure that all personnel are kept to strict organizational expectations via a screening process

InfoSec Goal: Ensure the organization’s information assets are only assessable from employees who are deemed trustworthy and capable of following regulatory infosec expectations, rules, and policies

Measurement Percentage of Individuals Screened Before Being Granted Access to Organizational Information and Information Systems
Measurement Type Implementation
Formula The number of employees who have been screened before having access granted to information and information systems in the past year, divided by the total number of employees, then multiplied by 100
Target 100 percent
Implementation Evidence 1. What organizational information and information systems are present, and which are most used?

2. What organizational information and information are the most sensitive?

3. What organizational information and information systems require screening? Do all require screening? Yes/No

4. Are records kept regarding which employees have been screened? Yes/No

5. Is there a standardized screening process? Yes/No. Who is responsible for creating and performing the screen?

6. How many employees are there? How many employees have been screened in the past year?

7. Are employees continually screened at regular intervals? Yes/No

8. If personnel have information access, yet haven’t been screened, document all reasons that apply:

a. Lack of infosec personnel

b. Insufficient funding

c. Insufficient time

d. Type of info and info system doesn’t require screening

e. The employee is a contract/temp (still should be screened, but a different test should be utilized as the info access they require will require further scrutiny)

f. Other (specify)

Frequency Collected as screening is performed and reported annually.
Responsible Parties Information owner: Infosec

Information collector: Infosec

Information customer: CSO

Data Source Employee Security Screening
Reporting Format Pie chart displaying the percentage of employees who have been screened prior to info and info system access versus those who have access, but have not been screened

If performance is below the targeted 100% screening, an additional pie chart will show all causes of failures

References

Whitman, M. & Mattord, H. (2016). Management of Information Security (6th ed.). Boston, MA: Cengage Learning.

 

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s