Security Metric of the Week #61: proportion of information security policy statements unambiguously linked to control objectives
Measuring is one way to reinforce the linkage between policy statements and higher level control objectives or axioms. Policies that bear no relation to control objectives/axioms beg the question: what are they meant to achieve? How will the organization determine whether they are effective if the intended outcome is uncertain? What is the justification for compliance with the policy, and what are the implications of low compliance?
Conversely, a strong security policy with a specific, legitimate purpose that cannot be linked to a control objective or axiom implies the need to fill a gap in the high-level control framework.
PRAGMATIC ratings:
|
P
|
R
|
A
|
G
|
M
|
A
|
T
|
I
|
C
|
Score
|
|
92
|
91
|
64
|
60
|
85
|
65
|
45
|
75
|
75
|
72%
|
"Unambiguously linked" leaves some wiggle room for subjective interpretation, while reviewing and assessing the linkages across the entire policy suite will inevitably take some Time to achieve.
72% is a pretty good PRAGMATIC score, making this a metric well worth considering unless there are other even-higher-scoring metrics that would achieve the same ends more effectively and efficiently. If ACME Enterprises Inc. had identified concerns in relation to their policy coverage, this metric may be just the ticket to drive a policy review and improvement project, and perhaps it might be reported every year or two thereafter as an assurance measure. You could say that he process and the metric need each other.
No comments:
Post a Comment
Have your say!