KRIHandbook OpsDog InformationSecurityTechnology

A Collection of Key Risk Indicators for
Information Security
& Technology
w w w.opsdog.com
info@opsdog.com
844.650.2888
You can’t
secure
what you
can’t
see...
All improvement
begins with
measurement.
That’s what this book of essential
Key Risk Indicators is all about.
It will help you pinpoint areas in need

of attention. It will help you to baseline,
to benchmark, and to get better.
We would like to help.
Did you know that OpsDog has helped

the world’s leading enterprises to
identify and improve their essential
KRIs without any new technology?
Think of that as you page through this book.
Then call 844.650.2888 or visit

www.OpsDog.com.
THANK YOU!
Table of Contents
Information Security &

Technology Key Risk Indicators
Information Security�� 3
Data Integrity Risks�� 5
Data Privacy Risks��8
External Threats��8
Internal Threats�� 11
Information Technology ��21

IT Development Risks��23
IT Planning & Performance �� 26
Management Risks
Technology Infrastructure Risks�� 30
Telecommunications & ��40
Connectivity Risks
This content may not be copied, distributed, republished, uploaded, posted

or transmitted in any way without the prior written consent of OpsDog, Inc.
1
Information
Security
• Data Integrity Risks
• Data Privacy Risks
• External Threats
• Internal Threats
3
Information Security
Data Integrity Risks Formula: Number of non-compliant logs
during a measurement period
1. Percentage of Systems With Related KRIs/KPIs: Percentage of Systems
Monitored Event and Activity Logs With Monitored Event and Activity Logs,
Number of Instances Where Central Log
Definition: The number of systems with Management System Exceeded Storage
event and activity logs that are monitored as a Availability Requirements
percentage of total systems managed by the
organization. 3. Number of Instances Where
Rationale: This metric measures the Central Log Management System
percentage of systems with monitored event Exceeded Storage Availability
and activity logs. Monitored logs result Requirements
in faster alerts to unusual system activity
Definition: The number of times within a
(attacked, capacity events). Such logs may be
measurement period in which the central log
also be able to reveal a timeline of an attack
management system ran out of storage space,
and unique identifying information about an
resulting in logs not being properly recorded.
attacker. For example, a log of alterations
to core system files can be monitored and Rationale: This metric measures the number
correlated with other logs of user events to of times within a measurement period in
determine which user took illegal action on a which too many system logs were generated.
network. Numbers of logs that overflow the ability to
store or analyze them could indicate that a
Formula: (Number of systems with monitored
direct denial-of-service attack is underway,
logs) / (Total number of systems)
and in that case would be treated as a security
Related KRIs/KPIs: Number of Expired event. In other contexts, overflowing logs may
Certificates Within the Network, Number of simply be the result of lax archiving policies
Failures to Properly Send Logs to Central Log or a poor understanding about which system
Management System, Number of Instances events are higher value and which are lower.
Where Central Log Management System
Formula: Number of instances during
Exceeded Storage Availability Requirements
examination period that the central log
management system ran out of memory
2. Number of Failures to Properly
Send Logs to Central Log Related KRIs/KPIs: Percentage of Systems
Management System With Monitored Event and Activity Logs,
Number of Failures to Properly Send Logs to
Definition: The number of times within a Central Log Management System
measurement period that system logs go
unreported to a central log management 4. Number of Repeating Security
system.
Incidents
Rationale: This metric measures the
Definition: The number of security incident
adherence to policy within an IT system to
that occurred more than once during the
a central log archive system. Logs may be
measurement period.
archived or serialized into a database format
by a third-party service for future analysis.
Failure to adhere to such a policy will result in
missing information and will undermine future
threat responses.
5
Information Security (Cont.)
Rationale: This metric measures the 6. Percentage of Passwords
effectiveness of an IT system’s response to a Currently Not Adhering to
repeated threat. Repeating security incidents Password Quality Standards
that bear similar root causes or exploit similar
weaknesses in IT infrastructure indicate that Definition: The total number of monitored
a definite weakness exists in the security application/system passwords that are not
of an IT system, and that this weakness adhering to password quality standards
has not been remedied. A large number of (length of password, character diversity used,
repeating security incidents occurring during etc.) as a percentage of the total number of
an examination period would indicate that passwords monitored at the same point in
a specific set of vulnerabilities should be time.
addressed immediately. Rationale: This metric measures the
Formula: The number of similar security vulnerability of a company’s data and the
incidents in an examination period IS function’s ability to detect and resolve
issues concerning passwords that are not
Related KRIs/KPIs: Percentage of Security adhering to password quality standards. Weak
Incidents Affecting Critical Operations & passwords make it all the more easier for
Services security incidents to occur and sensitive data
to be used, manipulated or leaked.
5. Percentage of Database Systems
Formula: (Number of Monitored Passwords
Storing BOTH Sensitive and Non-
not Adhering to Password Quality Standards /
Sensitive Data Total Number of Passwords Being Monitored)
Definition: The number of database systems * 100
storing both sensitive and non-sensitive data Related KRIs/KPIs: Number of System/
as a percentage of total database systems Application Passwords Audited Within Last
managed by the company at the same point 90 Days, Percentage of System/Application
in time.
Passwords Audited Within Last 90 Days
Rationale: This metric measures the quality
of data access authorization procedures as 7. Percentage of User Accounts
well as the IS function’s ability to limit or Assigned to a Single Individual
eliminate the use of potentially vulnerable
systems. Database systems that have Definition: The number of user accounts
access to both sensitive and non-sensitive that are assigned to a single individual as
data increases the risk that unauthorized a percentage of the total number of user
employees will use, manipulate or leak accounts managed at the same point in time.
important information. Rationale: This metric measures the risks
Formula: (Number of Database Systems related to sharing user accounts amongst
Storing Both Sensitive and Non-sensitive data employees. When accounts are shared
/ Total Number of Database Systems Used) (assigned to more than one individual) , there
* 100 is a decrease in accountability for the activity
that takes place on the shared account.
Related KRIs/KPIs: Number of Accounts For instance, any unauthorized activity or
Determined to Have Unintended Access to modifications that take place on the account
Sensitive Data Within Last 30 Days, Number cannot be traced back to a single individual.
of Systems with Known Vulnerabilities,
Percentage of Systems with Known Formula: (Number of User Accounts
Vulnerabilities Assigned to a Single Individual / Total Number
of User Accounts) * 100
6
Related KRIs/KPIs: Percentage of User Rationale: This metric measures the risk
Accounts with Access to Sensitive Data, associated with users that have the ability
Percentage of Systems/Applications Where to create, change, or modify data that is
Data Modifications are Traceable to Source, sensitive to the company or individuals. The
Number of Instances of Unauthorized Data more users that have write permissions for
Modification sensitive data, the greater chance of that
data being changed or modified in a manner
8. Percentage of Systems/ that could be harmful to the organization
Applications Where Data (i.e., changing passwords, altering company
Modifications are Traceable to information, etc.).
Source Formula: Count of Users with Write
Definition: The number of systems/ Permissions for Sensitive Data
applications in which data modifications are Related KRIs/KPIs: Number of Instances of
traceable to a source as a percentage of the Unauthorized Data Modification, Percentage
total number of systems/applications in use of Systems/Applications Where Data
within a network at the same point in time. Modifications are Traceable to Source,
Rationale: This metric measures an Percentage of User Accounts with Access to
organization’s ability to hold users Sensitive Data
accountable for changes or modifications of
data characteristics based on the system/ 10. Number of Instances of
application’s capacity to trace those Unauthorized Data Modification
modifications back to the user. If data Definition: The total number of instances
modifications are traceable to a source, it or occurrences in which a user or external
will reduce the likelihood that an employee intruder modifies network data without
or other threat will attempt to modify data authorization from the network administrator
records in a way that is harmful to the during the measurement period.
company.
Formula: (Number of Systems or frequency of occurrences in which there is a
Applications Where Data Modifications are malicious attempt to alter the data records
Traceable to a Source / Total Number of within the database. A greater number of
Systems or Applications) * 100 instances of unauthorized data modification
Related KRIs/KPIs: Number of Instances of will indicate that the organization is at a
Unauthorized Data Modification, Percentage greater risk due to identity theft, potential
of User Accounts Assigned to a Single data breaches, account permission changes,
Individual, Percentage of User Accounts with client information modifications, etc.
Access to Sensitive Data Formula: Count of Instances of Unauthorized
Data Modification
9. Number of Users with Write
Permissions for Sensitive Data Related KRIs/KPIs: Number of Security
Incidents Resulting in Unauthorized
Definition: The total number of users that Data Access or Leak (Total), Percentage
have write permissions for sensitive data at of Systems/Applications Where Data
the time of measurement. Modifications are Traceable to Source,
Number of Users with Write Permissions for
Sensitive Data
7
Data Privacy Risks Rationale: This metric measures the quality
of data access authorization procedures
and practices and the IS function’s ability to
11. Percentage of Devices and detect and resolve any issues concerning
Systems Holding Sensitive Data unauthorized data access or leaks. The
that are Not Encrypted quicker such issues are detected and
Definition: The number of devices and resolved, the less damage will be made to the
systems holding sensitive data (of all company’s sensitive information.
types) that are not currently encrypted as Formula: Number of Security Incidents That
a percentage of total devices and systems Result in Unauthorized Data Access or Leak
managed by the organization.
Related KRIs/KPIs: Percentage of Security
Rationale: This metric should be at or Incidents Resulting in Unauthorized Data
near 100%. If any device contains sensitive Access or Leak of Investor Information,
information, (e.g. IT administrative credentials) Percentage of Security Incidents Resulting
that is not protected by encryption, then an in Unauthorized Data Access or Leak of
extremely clear accounting of such devices Financial Information
must be made, and IT professionals should be
able to make compelling arguments for their
existence. Additional measures such as air- External Threats
gap security should be taken. A decreasing
trend in a time-series of this metric will
indicate serious vulnerability of an IT system. 13. Time Between Security
Incidents (All Incident Types)
Formula: (Number of devices and systems
that possess sensitive information and Definition: The amount of time (measured
were not protected by encryption during in days) elapsed between system security
examination period) / (Number of devices and incidents, measured from the moment
systems that possess sensitive information in the security incident is detected, until the
the IT system during examination period) time that the following security incident is
detected. (includes the time required to run
Related KRIs/KPIs: Percentage of Security any security patches and system updates
Incidents Affecting Critical Operations & after the first incident).
Services, Percentage of System Production
Databases that are Not Encrypted, Rationale: This metric measures the change
Percentage of System Production Applications in system security following a security patch
that are Not Encrypted or other update. For instance, a shorter Time
Between Security Incidents might indicate
12. Number of Security Incidents that a previous security patch was either
Resulting in Unauthorized Data ineffective, or opened the system up to new
security risks.
Access and Leak (Total)
Formula: Sum of time between failures for
Definition: The total number of security
system(s) being examined
incidents (a suspected, attempted,
successful, or imminent threat of Related KRIs/KPIs: All Systems, System
unauthorized access, use, disclosure, breach, Availability - All Systems, Mean Time Between
etc. of information) across all applications/ Security Incidents (All Incident Types), Mean
systems in use that result in unauthorized Time Between Security Incidents That Affect
data access or leak during the measurement Critical Operations & Services
period.
8
14. Number of Expired Certificates Formula: Number of security incidents during
Within the Network examination period
Definition: The total number of certificates Related KRIs/KPIs: All Systems, System
in the organization’s network that have Availability - All Systems, Mean Time Between
passed their expiration date at the point of Security Incidents (All Incident Types), Mean
measurement. Time Between Security Incidents That Affect
Critical Operations & Services
number of out-of-date security certificates
16. Percentage of Security
on a computer system. If the network holds
expired certificates, then the trust of a Incidents Affecting System
secure communication on the network is Availability - All Systems
undermined. In the worst-case scenario, Definition: The percentage of security
an expired certificate will use an obsolete incidents in which any subsystem of an IT
hashing algorithm that can be broken by system became unavailable for legitimate
brute-force attack and make the channel users.
vulnerable. More generally, users will
encounter security warnings on their browsers Rationale: This metric measures the relative
when they visit your network. weight of security incidents in which service
was interrupted for legitimate users. A large
Formula: Number of expired security number for this metric would indicate that
certificates found during examination period an IT system is highly vulnerable to attacks
Related KRIs/KPIs: Percentage of Systems and that best practices for all security
With Monitored Event and Activity Logs, incidents should be reviewed. Additionally, IT
Number of Failures to Properly Send Logs to professionals should adjust the development
Central Log Management System, Number of cycle to include safeguards and redundancies
Instances Where Central Log Management so that service can continue for legitimate
System Exceeded Storage Availability users during future security incidents.
Requirements Formula: (Number of service interruption
security incidents during examination period)
15. Number of Security Incidents / (Total number of security incidents during
(All Incident Types) examination period)
Definition: The number of security incidents Related KRIs/KPIs: Percentage of Security
(for all attack vectors) detected within a Incidents Affecting Critical Operations &
measurement period. Services, Time Between Security Incidents
Rationale: This metric counts the number (All Incident Types)
of security incidents in a given measurement
period. This information can be analyzed 17. Percentage of Security
in a time series to reveal trends of threats. Incidents Not Detected by
Spikes of security events occurring after Monitoring Solutions
major system updates might indicate that Definition: The number of security incidents
new releases are consistently displaying that were not detected by installed security
vulnerabilities, and that changes should be monitoring software as a percentage of total
made to the development cycle. Regularly incidents detected over the same period of
occurring cycles of security incidents can time.
be studied so to harden the network against
repeating threats.
9
Rationale: This metric measures the 19. Percentage of Devices Not
effectiveness of the installed security Covered by Monitoring Solutions
monitoring solutions designed to automatically (by Support/Maintenance
detect, alert users to the presence of, and Contract)
terminate certain security threats. A high
value for this metric may indicate that security Definition: The number of devices not
monitoring software is not configured to currently covered by the company’s
properly detect threats, which can obviously installed IT security monitoring solution as a
expose the organization to risk on all fronts as percentage of total devices managed at the
it relates to service interruptions, data leaks, same point in time.
etc. Rationale: This metric measures the current
Formula: (Number of Incidents Not Detected coverage of managed devices in regards to
by Monitoring Solutions / Total Number of the monitoring of security threats. A large
Incidents Detected) * 100 value for this metric leaves the organization
to attacks from all vectors for any device
Related KRIs/KPIs: Percentage of Security that is not currently covered, which obviously
Incidents Affecting Critical Operations & exposes the company to frisk on all fronts due
Services, Time Between Security Incidents to possible service interruptions, data leaks,
(All Incident Types) etc.
18. Percentage of Devices Not Formula: (Number of Devices Not Covered by
Covered by Monitoring Solutions Monitoring Solution / Total Number of Devices
Managed) * 100
Definition: The number of devices not
currently covered by the company’s Related KRIs/KPIs: None
installed IT security monitoring solution as a
percentage of total devices managed at the 20. Percentage of Employees
same point in time. Receiving Core Information
Security Training Within the Last
Rationale: This metric measures the current
coverage of managed devices in regards to Year
the monitoring of security threats. A large Definition: The number of employees
value for this metric leaves the organization receiving core information security training
to attacks from all vectors for any device within the past year as a percentage of total
that is not currently covered, which obviously employees who received core information
exposes the company to frisk on all fronts due security training.
to possible service interruptions, data leaks,
Rationale: This metric measures
etc.
knowledgebase of employees concerning
Formula: (Number of Devices Not Covered by information security as well as which
Monitoring Solution / Total Number of Devices employees are in need of further training.
Managed) * 100 By enforcing periodic training sessions, the
Related KRIs/KPIs: None IS function is able to ensure employees are
aware of current policies and procedures to
follow.
Formula: Number of Employees Receiving
Core Information Security Training Within
the Last Year / Total Number of Employees
Working for the Company who Previously
Received Core Information Security Training)
* 100
10
Related KRIs/KPIs: Number of ALL Rationale: This metric measures the
Employees Whose Access Rights Have company’s coverage in regards to social
Been Reviewed Within the Last 90 Days, media policies and related controls put
Percentage of ALL Employees Whose Access in place to protect the organization from
Rights Have Been Reviewed Within the Last reputational harm, or potential social
90 Days engineering attacks through social media
channels. Lack of adherence to social
21. Percentage of Employees media policies can lead to risk related to
Passing Internal Email Phishing misrepresentation of the company, misuse of
Test proprietary information, malware infections
and privacy violations. This value should be
Definition: The number of employees who 100%.
pass the internal email phishing test as a
percentage of the total number of employees Formula: (Number of Employees That Have
who participate in the internal email phishing Signed Latest Social Media Policy / Total
test during the measurement period. Number of Employees) * 100
Rationale: This metric measures the Related KRIs/KPIs: Mean Time Between
employees’ vulnerability of being defrauded Security Incidents Related to Social
by email phishing scams into releasing private Engineering
information such as usernames, passwords,
or credit card information, which could
potentially be harmful to the individual or the Internal Threats
organization. Employees who fail this test
should be subject to additional training related 23. Percentage of Security
to identifying email phishing attempts. Incidents Involving Endpoint
Formula: (Number of Employees who Pass Devices
Internal Email Phishing Test / Total Number of Definition: The percentage of security
Employees who Participate in Test) * 100 incidents in which an endpoint device (PCs,
Related KRIs/KPIs: Percentage of mobile phones, tablets, laptops, etc.) was
Employees Receiving Core Information involved.
Security Training Within the Last Year, Rationale: This metric measures the
Percentage of Security Incidents Related relative weight of endpoint-related security
to Social Engineering, Mean Time Between incidents. A larger Percentage of Security
Security Incidents Related to Social Incidents Involving Endpoint Devices would
Engineering indicate that an IT system’s client-facing
or public-facing applications for personal
22. Percentage of Employees that computers, smartphones or tablets are being
Have Accepted & Signed Social used maliciously. IT staff should enforce
Media Policy screening and sanitization of any in-bound
Definition: The number of employees data and requests from an endpoint device. A
working for the company that have signed Time-series may demonstrate the efficacy of
and accepted the most recent version of deployed countermeasures.
the company’s social media policy, as a Formula: (Number of endpoint-related
percentage of total employees. security incidents during examination period)
/ (Total number of security incidents during
examination period)
11
Related KRIs/KPIs: Percentage of Security Rationale: This metric measures the
Incidents Affecting Critical Operations & effectiveness of the outer-most defensive
Services layer of an IT system. The majority of attacks
should be caught at the perimeter. Most
24. Percentage of Security Incident basic attacks involve sending engineered
False Positives requests from client endpoints to the server.
Most of these attacks can be prevented
Definition: The percentage of incidents in through request sanitization, white-lists and
which security systems and protocols raised parameterized SQL queries. A large value may
a false alarm of an attack when later analysis indicate that safeguards are not in place, or
determined that none had occurred. that an IT system suffers from an unusually
Rationale: This metric measures the large volume of sophisticated attacks.
accuracy of security systems and protocols Formula: (Number of perimeter security
in analyzing system events and making incidents during examination period) /
determinations of whether or not illegal (Total number of security incidents during
activity is occurring on a network. Ideally, examination period)
this number should be as low as possible. A
larger value of this metric will indicate that Related KRIs/KPIs: Percentage of Security
IT professionals are not able to effectively Incidents Affecting Critical Operations &
recognize signs of a genuine attack. This Services, Time Between Security Incidents
could result in an attack raising no alarms at (All Incident Types)
all, as well as generate complacency about
warning signs raised by an IT system. 26. Number of Security Incident
Formula: (Number of false positive security Detection Mechanism Failures
incidents during examination period) / Definition: The percentage of security
(Total number of security incidents during incidents in which deployed safe-guards failed
examination period) to prevent the execution of an attack.
Related KRIs/KPIs: Percentage of Security Rationale: This metric measures the
Incidents Affecting Critical Operations & effectiveness of security systems and
Services, Time Between Security Incidents protocols against known and predictable
(All Incident Types) security threats. While zero-day vulnerabilities
open a system to unforeseen attacks, most
25. Percentage of Security attacks proceed along well-understood
Incidents Detected by Perimeter lines. This metric should ideally be as low
Security Measures as possible. A higher value of this metric
indicates that security systems are simply
Definition: The percentage of security ineffective and need to be audited or
incidents that were detected by perimeter redesigned.
(first line of defense) security measures.
Formula: (Number of security mechanism
failure incidents during examination period)
/ (Total number of security incidents during
examination period)
Incidents Affecting Critical Operations &
Services, Time Between Security Incidents
(All Incident Types)
12
27. Mean Time to Remove Formula: Number of Employee Accounts
Unauthorized Application from Determined to have Unintended Access to
System Sensitive Data
Definition: The average amount of time Related KRIs/KPIs: Number of Security
(measured in minutes) required to remove Incidents Resulting in Unauthorized Data
unauthorized applications (removable media, Access or Leak (Total), Percentage of Security
files with extensions of known executables Incidents Resulting in Unauthorized Data
- .exc, .msi, .bin -, etc.) from a company Access or Leak of Investor Information,
system, measured from the time unauthorized
applications are identified (usually through 29. Number of Administrator
system testing and monitoring) until when Logins Detected Outside of Typical
they are removed from the system (performed Business Hours
through application control software such
Definition: The total number of administrator
as the Continuous diagnostic and Mitigation
logins detected (across all applications/
Software Asset Management program).
systems in use) outside of typical business
Rationale: This metric measures the IS hours (10am-3pm, Sunday - Thursday) during
function’s ability to remove and prevent the measurement period.
unauthorized applications from accessing
internal systems, and ensure that all identified
and compliance of data access authorization
unauthorized applications are removed from
procedures as well as the IS function’s
all workstations, devices, servers, etc.
ability to identify and resolve issues involving
Formula: (Sum of Minutes Required to administrator logins outside of typical
Remove Unauthorized Applications from business hours. Administrator logins outside
all Systems) / (Number of Unauthorized of typical business hours may indicate stolen
Applications Removed During the Same or leaked credentials or even attempted
Period of Time Across all Systems) logins by employees no longer working for the
Related KRIs/KPIs: Percentage of Endpoints company.
Using Whitelisting to Block Unauthorized Formula: Number of Administrator Logins
Application Use, Percentage of Endpoints Detected Outside of Typical Business Hours
in Compliance With Authorized Application
Related KRIs/KPIs: Number of Security
Whitelist Incidents Resulting in Unauthorized Data
Access or Leak (Total), Number of Failed
28. Number of Accounts Attempts to Access User Accounts with
Determined to Have Unintended Access to Sensitive Data
Access to Sensitive Data Within
Last 30 Days 30. Number of Security Incidents
Definition: The total number of employee Related to Recent Changes
accounts determined to have unintended Definition: The total number of security
access to sensitive data (across all incidents (a suspected, attempted,
applications/systems in use) within the last 30 successful, or imminent threat of
calendar days. unauthorized access, use, disclosure, breach,
Rationale: This metric measures the quality etc. of information) across all applications/
of data access authorization procedures as systems in use that are related to recent
well as the IS function’s ability to identify and application or system changes (successful or
resolve issues involving unintended access failed) during the measurement period.
to sensitive data. Unintended access to
sensitive data increases the chance of use,
manipulation or leakage of important data.
13
Rationale: This metric measures the quality 32. Number of System/Application
of one-off patches or minimal upgrades Passwords Audited Within Last 90
recently put in place as well as the IS Days
function’s ability to detect and resolve any
resulting security incidents. The quicker Definition: The total number of system/
security incidents are detected, the quicker application passwords audited (typically
patches and upgrades can be created to performed by software packages that
resolve current incidents and prevent any measure the strength of passwords) within
future incidents from occurring. the last 90 calendar days.
Formula: Number of Security Incidents that Rationale: This metric measures the
are Related to Recent System Changes strength of the passwords used by the
company and the IS function’s ability to
Related KRIs/KPIs: Percentage of Security detect potential threats from weak or obsolete
Incidents Related to Recent Changes, Number passwords. Weak passwords make it all the
of Security Incidents Related to Recent more easier for security incidents to occur
Releases, Percentage of Security Incidents and sensitive data to be used, manipulated
Related to Recent Releases or leaked. The company should establish
and enforce standard password parameters
31. Number of Security Incidents (length, use of characters, etc.).
Related to Recent Releases
Formula: Number of System/Application
Definition: The total number of security Passwords Audited Within the Last 90
incidents (a suspected, attempted, Calendar Days
successful, or imminent threat of
unauthorized access, use, disclosure, breach, Related KRIs/KPIs: Percentage of System/
etc. of information) across all applications/ Application Passwords Audited Within Last 90
systems in use that are related to recent Days, Percentage of Passwords Currently Not
application or system releases (successful or Adhering to Password Quality Standards
failed) during the measurement period.
33. Number of Systems with
Rationale: This metric measures the quality Known Vulnerabilities
of significant IS upgrades or application
launches recently put in place as well Definition: The total number of systems or
as the IS function’s ability to detect and applications that have known vulnerabilities
resolve any resulting security incidents. The (i.e., a weakness in automated systems
quicker security incidents are detected, security procedures, administrative controls,
the quicker they can be resolved, with any Internet controls, etc. that could be exploited
resolutions reflected in future upgrades and/ by a threat to gain unauthorized access to
or application launches. information) at the time of the measurement.
Formula: Number of Security Incidents that Rationale: This metric measures the
are Related to Recent Releases vulnerability of a company’s systems and/or
applications in a given measurement period.
Related KRIs/KPIs: Percentage of Security This information can be analyzed to reveal
Incidents Related to Recent Releases, potential issues that need to be resolved. For
Percentage of Security Incidents Related instance, systems or applications with weak
to Recent Changes, Number of Security Internet controls are susceptible to more
Incidents Related to Recent Changes attacks by malware, hacking, etc. Known
vulnerabilities should be prioritized based on
severity and addressed ASAP by IT staff.
Formula: Number of Systems or Applications
that Have Known Vulnerabilities
14
Related KRIs/KPIs: Percentage of Systems Rationale: This metric measures the IS
with Known Vulnerabilities, Number of Known function’s ability to prevent unauthorized or
Vulnerabilities Outstanding for More Than 90 potentially harmful programs or applications
Days, Percentage of Known Vulnerabilities from running on a company system through
Outstanding for More Than 90 Days the use of whitelisting. Whitelists must
be maintained, updated and continually
34. Number of Known enforced in order to prevent applications with
Vulnerabilities Outstanding for known vulnerabilities or risks from running
More Than 90 Days on the company’s network. Failure to do so
increases the likelihood of data leaks and
Definition: The total number of known related reputational harm. This number should
system or application vulnerabilities (i.e., a at or close to 100%
weakness in automated systems security
procedures, administrative controls, Internet Formula: (Number of Endpoints Using
controls, etc. that could be exploited by Whitelisting / Total Number of Endpoints) *
a threat to gain unauthorized access to 100
information) that have yet to be resolved after Related KRIs/KPIs: Percentage of Endpoints
90 calendar days. in Compliance With Authorized Application
Rationale: This metric measures the Whitelist, Number of Systems with Known
vulnerability of a company’s systems and/ Vulnerabilities, Percentage of Systems with
or applications in a given measurement Known Vulnerabilities
period as well as the IS function’s ability to
detect and resolve known vulnerabilities in 36. Number of Instances of
a timely fashion. The quicker vulnerabilities Unusual Outbound Network Traffic
are detected and dealt with, the smaller the in Last 7 Days
window will be for hackers and malware to
do damage or access data (sensitive or non- Definition: The total number of instances
sensitive). or occurrences of unusual outbound network
traffic that has occurred within the last 7 days
Formula: Number of Known System or of the measurement date.
Application Vulnerabilities that Have Yet to be
Resolved After 90 Calendar Days Rationale: This metric measures the
frequency of outbound traffic activity that can
Related KRIs/KPIs: Percentage of Known be harmful to the organization such as visiting
Vulnerabilities Outstanding for More Than malicious websites, access to externally
90 Days, Number of Systems with Known compromised unofficial network resources
Vulnerabilities, Percentage of Systems with (DNS, NTP, etc.), using third party data
Known Vulnerabilities sharing applications (Dropbox, etc.) or using
other covert channels to transmit information
35. Percentage of Endpoints Using outside of the network. Outbound connection
Whitelisting to Block Unauthorized controls or firewalls can mitigate these
Application Use outbound risks.
Definition: The total number of endpoints Formula: Count of Instances of Unusual
that use application whitelisting to block Outbound Network Traffic in Last 7 Days
unauthorized application use as a percentage Related KRIs/KPIs: Number of Failed
of the total number of active endpoints that Attempts to Access User Accounts with
are managed by the IS function at the same Access to Sensitive Data, Number of ALL
point in time. Employees Whose Access Rights Have Been
Reviewed Within the Last 90 Days
15
37. Number of Detected Attempts Formula: Count of Dormant Employee
to Elevate Account Permissions Accounts
Without Authorization Related KRIs/KPIs: Mean Time to
Definition: The total number of instances in Deactivate Departing Employee Account,
which the network administrator detects an Number of ALL Employees Whose Access
attempt by an account user to elevate their Rights Have Been Reviewed Within the
account permissions without the authorization Last 90 Days, Number of Failed Attempts
of the network administrator during the to Access User Accounts with Access to
measurement period. Sensitive Data
Rationale: This metric measures risk 39. Number of Orphaned Employee
related to the unauthorized attempt of
Accounts
account users to enhance or elevate their
account permissions or privileges without the Definition: The total number of active
authorization of the account administrator. An accounts that are orphaned (i.e., employee/
attempt to enhance user account permissions user is no longer with the organization) at the
can indicate not only who may be a potential time of measurement.
threat to the organization but also what type Rationale: This metric measures the number
of action the potential threat might pose to the of orphaned accounts that are vulnerable
organization. to intruders (i.e., any user, past or present,
Formula: Count of Detected Attempts who does not have permission to use the
to Elevate Account Permissions Without account) that may try to use the orphaned
Authorization account to seek access to a company system.
Orphan accounts present a risk to information
Related KRIs/KPIs: Mean Time to
systems because the account’s (absent) user
Deactivate Departing Employee Account,
will not detect the unusual or unauthorized
Number of Accounts Determined to Have
use of that account. Network administrators,
Unintended Access to Sensitive Data Within
may not realize that the orphaned account
Last 30 Days, Number of Failed Attempts
should not be in use.
to Access User Accounts with Access to
Sensitive Data Formula: Count of Orphaned Employee
Accounts
38. Number of Dormant Employee Related KRIs/KPIs: Mean Time to
Accounts Deactivate Departing Employee Account,
Definition: The total number of employee Number of ALL Employees Whose Access
accounts in a company information system Rights Have Been Reviewed Within the
that are dormant (i.e., account has not had Last 90 Days, Number of Failed Attempts
any login activity in 90 or more calendar days) to Access User Accounts with Access to
at the time of the measurement. Sensitive Data
Rationale: This metric measures the number 40. Number of Failed Attempts to
of dormant accounts that are vulnerable to
Access User Accounts with Access
intruders that may try to use the dormant
account to seek access to a company to Sensitive Data
system. Dormant accounts present a risk to Definition: The total number of instances in
information systems because the account’s which an account user attempts to access
(inactive) user will not detect the unusual or user accounts that have access to sensitive
unauthorized use of that account. data, but does not succeed in accessing that
account.
16
Rationale: This metric measures the 42. Number of ALL Employees
frequency of internal threats attempting to Whose Access Rights Have Been
gain access to sensitive data that could be Reviewed Within the Last 90 Days
used against the organization if that data gets
into the wrong hands. An excessive number of Definition: The number of company-wide
failed attempts should raise a red flag - if the employees whose account access rights or
source of the attempts can be traced back to privileges have been reviewed within the last
an individual, that person should be subject to 90 calendar days.
questioning to determine their motives. Rationale: This metric measures the risk
Formula: Count of Failed Attempts to Access associated with certain employees potentially
User Accounts with Access to Sensitive Data having network access rights that they should
not be granted. If an employee has access
Related KRIs/KPIs: Number of Failed to files or network rights that they should
Attempts to Access User Accounts with not be granted, there is a greater risk to
Access to Sensitive Data, Number of ALL the company of information leaks, or other
Employees Whose Access Rights Have Been potential data breaches, whether intentional
Reviewed Within the Last 90 Days or unintentional.
41. Mean Time to Deactivate Formula: Count of All Employees Whose

Access Rights Have Been Reviewed within the
Departing Employee Account
Last 90 Days
Definition: The average amount of time
Related KRIs/KPIs: Percentage of ALL
(measured in days) required to deactivate a
Employees Whose Access Rights Have Been
departing employee’s account, measured
Reviewed Within the Last 90 Days, Number
from the day the departing employee
of Employees With Access to Sensitive Data
has worked his or her final day with the
Whose Access Rights Have Been Reviewed
organization until the day that the network
administrator deactivates the departing Within the Last 90 Days
employee’s account.
43. Number of Employees With
Rationale: This metric measures the Access to Sensitive Data Whose
average length of time (measured in days) Access Rights Have Been Reviewed
that departing employees’ accounts remain
Within the Last 90 Days
active after their departure from the company,
which leaves the company systems more Definition: The total number of employees
vulnerable to potential attackers. Current who have access to sensitive data whose
or former employees may target departed access rights have gone under a formal
employee accounts that are not deactivated review by the network administrator within the
(i.e., orphaned accounts) to enact some form last 90 calendar days.
of retribution or simply because the (absent) Rationale: This metric measures the
account owner is not able to detect any organization’s practice of routinely reviewing
unusual activity. the sensitive data access rights of employees.
Formula: (Sum of Time to Deactivate When employees get promoted or move
Departing Employee Accounts / Number of within departments of an organization, their
Departing Employee Accounts Deactivated) need to access sensitive data may change. A
routine review or audit of employees’ sensitive
Related KRIs/KPIs: Number of Dormant
data access rights will help ensure that
Employee Accounts, Number of Failed
only the employees who need to access the
Attempts to Access User Accounts with
sensitive data will have access to it.
Access to Sensitive Data, Number of ALL
Employees Whose Access Rights Have Been
Reviewed Within the Last 90 Days
17
Formula: Count of Employees with Access Rationale: This metric measures the quality
to Critical Data/Information Whose Access of security that a system or application was
Rights Have Been Reviewed Within the Last set up with. With a low mean time to first
90 Days exploit, network administrators may need to
decide that they need to spend more time
Related KRIs/KPIs: Percentage of
on security before launching a system or
Employees With Access to Sensitive Data
application.
Whose Access Rights Have Been Reviewed
Within the Last 90 Days, Percentage of User Formula: (Sum of Times to First Exploit /
Accounts with Access to Sensitive Data, Total Number of First Exploits)
Number of Users with Write Permissions for Related KRIs/KPIs: Number of Security
Sensitive Data Incidents Related to Recent Releases, Number
of Systems with Known Vulnerabilities,
44. Percentage of User Accounts Number of Known Vulnerabilities Outstanding
with Access to Sensitive Data for More Than 90 Days
Definition: The number of user accounts that
have access to sensitive data as a percentage 46. Mean Time to Incident
of the total number of user accounts managed Detection
at the same point in time.
Definition: The average amount of time
Rationale: This metric measures the degree (measured in minutes) required for the
of risk that an organization is exposed to that network administrator to detect a security
stems from how many users are prohibited incident from the time that the incident occurs
from accessing sensitive data vs. how many until the time that the security incident is
users are granted authorized access to the detected by the network administrator.
sensitive data. If any sensitive data is leaked
Rationale: This metric measures the risks
or breached, it will likely be harmful to the
associated with undetected security incidents
organization.
by an organization’s network administrator.
Formula: (Number of User Accounts with When a security incident is undetected,
Access to Sensitive Data / Total Number of the network administrator cannot take any
User Accounts) * 100 action to block the threat or mitigate any
Related KRIs/KPIs: Number of Employees damage that the security incident has already
With Access to Sensitive Data Whose Access incurred.
Rights Have Been Reviewed Within the Last Formula: (Sum of Time to Detect a Security
90 Days, Percentage of User Accounts with Incident / Total Number of Security Incidents
Access to Sensitive Data, Number of Users Detected)
with Write Permissions for Sensitive Data
Incidents Detected by Perimeter Security
45. Mean Time to First Exploit Measures, Security Incident False Positive
Definition: The average amount of time Rate, Number of Security Incidents Related to
(measured in days) required for the first Recent Releases
exploit to take place from the day a computer
application or system is launched until the day
that the first exploit occurs.
18
47. Number of Rogue Access Points
Identified
Definition: The number of unauthorized
access points identified within the network
through network scanning activities
conducted during the measurement period.
Unauthorized, or “rogue,” devices pose a
serious security threat to the organization.
These devices can be used by external and/
or internal attackers to transmit sensitive
information outside the network, list employee
credentials and/or install malicious files on
the company’s network. Ideally, this value
would be 0.
Rationale: This metric measures risk related
to the connection of a wireless access point
that is not controlled by the company’s
security protocols to the company’s network.
Formula: Count of Rogue Devices Detected
on Company’s Network During Measurement
Period
Related KRIs/KPIs: Count of Rogue Devices
Detected on Company’s Network During
Measurement Period
19
Information
Technology
• IT Development Risks
• IT Planning & Performance
Management Risks
• Technology Infrastructure Risks
21
Information Technology
IT Development Risks Related KRIs/KPIs: Percentage of
Unsuccessful Releases
1. Percentage of Scheduled 3. Percentage of Unsuccessful
Maintenance Activities Missed Releases
Definition: The number of scheduled Definition: The number of releases rolled
maintenance activities related to company out by the IT function to company devices or
devices (workstations, network equipment, workstations that must be rolled back (i.e.,
servers) that did not take place on or before affected systems are restored to pre-release
their scheduled date as a percentage of all state through version control, or similar) due to
maintenance activities scheduled to occur over issues that occurred following the release as
the same period of time. a percentage of total releases attempted (i.e.,
Rationale: This metric measures the IT successful and failed) over the same period
function’s adherence to preventative and of time.
scheduled maintenance plans. Missed Rationale: This metric measures the
scheduled maintenance activities increase the IT function’s diligence in testing and
likelihood of service interruptions, productivity implementing releases successfully. Failed
losses and security incidents. Instances of releases may cause downtime for employees
missed schedule maintenance activities should and customers leading to lost revenue and
be traced back to the responsible party to poor customer experience. Furthermore,
identify and correct the root cause. repeated release failures divert IT staff’s
Formula: (Number of Scheduled Maintenance attention from other potentially more important
Activities Carried Out On-Time / Total Number tasks that can lead to risk regarding missed
of Scheduled Maintenance Activities to be deadlines, un-patched vulnerabilities, etc.
Carried Out) * 100 Formula: (Number of Failed Releases / Total
Related KRIs/KPIs: Total Scheduled Number of Attempted Releases) * 100
Downtime - All Systems Related KRIs/KPIs: Percentage of System
Releases Mirrored on Backup Systems Within
2. Percentage of Systems 24 Hours Following Launch
Undergoing New Releases - All
Systems 4. Percentage of Systems
Definition: The total number of application or Undergoing Changes - All Systems
systems where a new release was completed Definition: The total number of application or
or attempted by the IT function during the systems where a new change was completed
measurement period as a percentage of total or attempted by the IT function during the
systems managed. measurement period as a percentage of total
Rationale: This metric measures the total systems managed.
amount of activity in regards to new releases Rationale: This metric measures risk related
performed by the IT team. A high number to system stability and user experience, as
of releases can be indicative of risk arising well as the IT functions ability to maintain and
from environment uncertainty (internal and release stable services. While a solid change
customer-facing), downtime (planned and management foundation is vital, too many
unplanned), performance issues and employee changes can be indicative of an underlying
productivity. issue related to release management and
Formula: (Number of Systems Where Release application development capabilities.
was Completed or Attempted / Total Number
of Systems Managed) * 100
23
Information Technology (Cont.)
Formula: (Number of Systems Where Rationale: This metric measures the
Change was Completed or Attempted / Total diligence of IT change and release
Number of Systems Managed) * 100 management practices, with a specific focus
on controls built in to proactively identify and
Related KRIs/KPIs: Percentage of
address issues that may arise in the future.
Unsuccessful Changes - All Levels of Impact
Emergency changes may not be entirely
avoidable, however proactive patching,
5. Percentage of Unsuccessful
performance monitoring and vulnerability
Changes - All Levels of Impact management may reduce instances of such
Definition: The number of changes rolled changes.
out by the IT function to company devices Formula: (Number of Emergency Changes /
or workstations that must be rolled back Total Number of Attempted Changes) * 100
(i.e., affected systems are restored to pre-
change state through version control, or Related KRIs/KPIs: Percentage of System
similar) due to issues that occurred following Changes Mirrored on Backup Systems Within
the implementation of the change, as a 24 Hours Following Launch
percentage of total changes attempted over
the same period of time. 7. Percentage of Applications
Rationale: This metric measures Requiring Functionality Upgrade
the quality of IT change management Within the Last 90 Days
practices and related risk stemming from Definition: The total number of applications
excessive changes, poor application/ used by the company that required an
system management and rework. Change upgrade related to user experience/usability
Management protocols must be put in place within the last 90 calendar days.
to minimize downtime, monitor change
coverage (i.e., control which endpoints or Rationale: This metric measures the IT
devices are changed and when) and ensure function’s ability to develop and deliver
that implemented changes are thoroughly applications that meet user expectations and
tested prior to live environment roll out. require minimal rework related to usability
and user experience. While applications will
Formula: (Number of Failed Changes / Total likely require upgrades at some point during
Number of Attempted Changes) * 100 their lifecycle, excessive upgrades may
Related KRIs/KPIs: Percentage of Systems be indicative of poor front-end planning in
Undergoing Changes - All Systems regards to operating environment, end user
needs and related business requirements.
6. Percentage of Changes Formula: (Number of Applications Requiring
Considered Emergency Changes Post-Launch Upgrade / Total Number of
Proprietary Applications In Use) * 100
Definition: The number of changes, or
patches, to systems, devices and applications Related KRIs/KPIs: Number of IT Projects
that are considered to be an emergency as a that Required Rework Due to Misaligned
percentage of changes made over the same Requirements Within the Last 90 Days
period of time. An emergency change is a
previously unplanned change to systems
or applications that must be implemented
immediately, or as soon as possible, to avoid
a serious security risk, productivity loss, and/
or service interruption.
24
8. Percentage of IT Projects Formula: ((Current Month Total Website
Reworked Due to Misaligned Visits - Previous Month Total Website Visits) /
Requirements Within the Last 90 Previous Month Total Website Visits) * 100
Days Related KRIs/KPIs: Average Page Load
Definition: The number of IT projects that, Time, Average Time on Site, Average Page
within the last 90 days, required re-scoping or Views per Visit, Bounce Rate
re-prioritization due to business requirements
that were not clearly defined, or were not 10. Bounce Rate
sufficiently reviewed by key stakeholders prior Definition: The number of users that view
to project launch as a percentage of total IT only one web page when visiting the site
projects running. before exiting (i.e., bouncing) as a percentage
Rationale: This metric measures the IT of total website visits over the same period
function’s ability to accurately and exhaustively of time. A high Bounce Rate can indicate that
capture business requirements that align the website is not sufficiently designed to lead
with overall company strategy and end users to other locations around the website.
user goals prior to the start of the project. Rationale: This metric measures the quality
Poor performance in business requirement of the website’s design and user experience.
gathering leads to project rework, cancellation Poor design and website architecture can lead
and related opportunity cost. to high bounce rates, which in turn can mean
Formula: (Number of IT Projects Requiring that users are not finding the appropriate
Re-Scoping / Total Number of IT Projects information on the company’s website.
Running) * 100 Formula: (Number of Website Visitors that
Related KRIs/KPIs: Percentage of IT Projects View Only a Single Web Page / Total Number
Delayed, Percentage of IT Projects That of Website Visits) * 100
Exceeded Budget Related KRIs/KPIs: Average Page Load
Time, Average Time on Site, Average Page
9. Percent Change in Number of Views per Visit
Website Visits - Month over Month
(MoM) 11. Average Page Load Time
Definition: The percent difference in the Definition: The average amount of time (in
total number of users that visited the website seconds) required for the user’s browser to
through all channels (organic search, paid full load a web page within the company’s
search, direct, referral, etc.) from month-to- website, from the time the click occurs until
month. the web browser has loaded the page in full.
Rationale: This metric measures overall Rationale: This metric measures the
traffic to the company’s website, which quality of the website’s architecture and
can be reflective of the company’s web corresponding methods taken to reduce load
presence, SEO practices and the quality of times which can lead to improved search
digital marketing practices. A time-series of engine rankings and user experience. High
this metric can be analyzed to detect large load pages times are proven to diminish user
increases/decreases in traffic, which may experience, particularly for web applications
be indicative of changes to search engine and interactive websites.
algorithms, mis-configured traffic tracking Formula: (Sum of page load time across 30
code, digital marketing practices or the need most-viewed web pages) / 30
for changes to the company’s web server
capacity. Related KRIs/KPIs: Bounce Rate
25
12. Average Page Views per Visit 14. Percentage of Systems in Use
Definition: The average number of individual that are No Longer Supported
web pages viewed by a website visitor during Definition: The number of systems currently
the course of a single visit, or session, during in use by the company that are no longer
the measurement period. supported by the original developer as a
Rationale: This metric measures the quality percentage of total systems used by the
of user engagement, which speaks to the organization at the same point in time.
overall design and architecture of the website. These non-supported systems may also be
Websites that are not well-designed, or those considered “legacy” systems.
that do not provide relevant information to Rationale: This metric measures risk related
the user shortly after landing on the site, will to software that is no longer supported by
typically exhibit a low value for this metric. the original developer, meaning that they no
Formula: Sum of Total Website Page views / longer release updates to address security,
Total Number of Website Visits usability and/or performance issues, which
leaves the company open to risk in those
Related KRIs/KPIs: Bounce Rate, Total areas.
Number of Website Visits, Average Page Load
Time, Average Time on Site, Average Page Formula: (Number of Systems in Use That
Views per Session are No Longer Supported / Total Number of
Systems in Use) * 100
13. Average Time on Site Related KRIs/KPIs: Percentage of Systems
Definition: The average amount of time a Running without Current Maintenance
website visitor spends on the website, from Contract - All Systems
the time that the user lands on a page until
they exit the website, during the course
of a single visit, or session, during the IT Planning & Performance
measurement period. Management Risks
of user engagement, which speaks to the 15. Percentage of IT Assets
overall design and architecture of the website. (Devices) Impacted by End-of-Life
Websites that are not well-designed, or those or Support
that do not provide relevant information to Definition: The number of devices managed
the user shortly after landing on the site, will by the IT Department that are slated to be
typically exhibit a low value for this metric. impacted by upcoming end-of-life (EoL) or
Formula: Sum of Total Time Spent on end-of-support (EoS) dates.
Website / Total Number of Website Visits Rationale: This metric measures the
Related KRIs/KPIs: Bounce Rate, Total potential impact of upcoming end-of-life (EoL)
Number of Website Visits, Average Page or end-of-support (EoS) dates for devices
Views per Session currently used by the company. A high
percentage of devices with impending EoS or
EoL dates may indicate that the company is
using relatively outdated devices, and/or that
it will be a large undertaking to procure and
implement replacement devices in the near
future.
26
Formula: (Number of Devices with Upcoming Formula: (Sum of Service Request Resolution
EoL or EoS Dates / Total Number of Devices Time) / (Count of Requests Successfully
Managed) * 100 Resolved)
Related KRIs/KPIs: Total Value of IT Assets Related KRIs/KPIs: IT Service Desk - Total
Currently Not in Use, Percentage of IT Assets Number of Requests Opened (All Levels)
Controlled by Inventory Monitoring
18. IT Service Desk - Total Number
16. Total Number of IT Assets of Requests Opened (All Levels)
Current Not in Use Definition: The total number of service
Definition: The total number of IT assets requests, or tickets, received by the IT
owned by the organization that are currently service desk team over a certain period of
(i.e., at the point of measurement) not used in time. A service request is considered opened
any capacity by the organization. immediately upon reception (regardless of
whether or not the request is acknowledged).
Rationale: This metric measures the IT
function’s diligence in managing IT-related Rationale: This metric measures the total
assets across the organization to ensure that workload of the IT service desk. Higher than
they are used properly and can be liquidated usual values may result in poor work quality,
when they are no longer able to be used or can be indicative of an underlying issue
by the organization. Obsolete or unused IT related to system stability, user-friendliness,
assets must also be properly secured to avoid etc. Request volumes should be segmented
physical theft, which can then lead to potential by type and prioritized in order to ensure that
information theft (e.g., data stolen from critical issues are solved quickly. Viewing this
unused hard drives or servers). metric as a time-series may reveal spikes in
request volumes that can be traced to releases
Formula: Count of Total Unused IT Assets
or other incidents causing internal issues.
Related KRIs/KPIs: Total Value of IT Assets
Formula: Count of Service Requests Opened
Currently Not in Use, Percentage of IT Assets
Controlled by Inventory Monitoring Related KRIs/KPIs: IT Service Desk -
Average Number of Requests Opened per
17. IT Service Desk - Mean Service Service Desk Employee, IT Service Desk -
Request Resolution Time (All Mean Service Request Resolution Time
Levels)
19. IT Service Desk - Percentage of
Definition: The average amount of time Requests Not Resolved within SLA
(measured in minutes) required for the IT
support team to resolve, or close, an IT (All Levels)
support request, measured from the time Definition: The number of IT service
that the ticket or request is submitted by an requests that are not resolved within the
employee until the issue has been resolved timeframe defined by the company’s SLA as
and formally closed. a percentage of total issues resolved over the
Rationale: This metric measures the IT same period of time.
support function’s ability to accept, process
and resolve open issues in a timely fashion.
High resolution times can increase risk
levels related to employee productivity and
service interruptions. It may also be valuable
to segment IT service requests by type and
importance to see if high priority issues are
solved in a more timely fashion than other (as
they should be).
27
Rationale: This metric measures the IT 21. IT Service Provider SLA
function’s ability to respond, investigate Adherence
and resolve requests, or tickets, within the
time frame that the company has defined as Definition: The number of IT vendor service
acceptable. A large percentage of issues that level agreements where the vendor has
are not resolved within this time frame may met or exceeded targets outlined in their
increase the likelihood of productivity/capacity corresponding Service Level Agreement (SLA)
issues, service interruptions and potential over the last 3 months as a percentage of
customer service issues. total vendor, or service provider, activities and
performance levels are governed by a formal
Formula: (Number of Requests Resolved SLA.
within SLA Time Frame / Total Number of
Requests Resolved) * 100 Rationale: This metric measures vendor
management and compliance practices,
Related KRIs/KPIs: IT Service Desk - Total and related risk arising from poor vendor
Number of Requests Opened (All Levels) performance and lack of oversight. Vendor
performance should governed through Service
20. Percentage of Applications Level Agreements (SLAs) and diligent project
Running without a Current Service management. Furthermore, SLAs should
Level Agreement define specific metrics and performance
criteria to assess the performance of long-
Definition: The number of applications
term vendor relationships.
currently running on company workstations or
devices that are NOT governed by an explicit, Formula: (Number of SLA Performance
documented service level agreement (SLA), Metrics Being Met by IT Service Providers /
which states the parameters and standards Total Number of SLA Metrics) * 100
of service to be delivered by the application, Related KRIs/KPIs: Percentage of Systems
as a percentage of all applications currently Running without Current Maintenance
running. Contract - All Systems
Rationale: This metric measures risk
exposure related to poor performance of 22. Internal IT Team SLA
applications used by the company. The lack Adherence
of a defined SLA leaves the company without
Definition: The number of internal service
defined parameters to judge performance
level agreements where the IT team has
against optimal levels. Poorly performing
met or exceeded targets outlined in their
applications may open the company to risk
corresponding Service Level Agreement (SLA)
related to poor customer service and lack of
over the last 3 months as a percentage of
internal productivity.
total IT team activities and performance levels
Formula: (Total Number of Applications are governed by a formal SLA.
Running without Current SLA / Total Number
Rationale: This metric measures IT team
of Applications in Use) * 100
service performance, management and
Related KRIs/KPIs: None compliance practices, and related risk
arising from poor performance and/or lack
of oversight. IT service performance should
governed through Service Level Agreements
(SLAs) and diligent project management.
Furthermore, SLAs should define specific
metrics and performance criteria to assess
the performance of the IT group.
28
Formula: (Number of SLA Performance Rationale: This metric measures the IT
Metrics Being Met by IT Team / Total Number function’s ability to procure high quality
of SLA Metrics) * 100 IT-related services and ensure that vendor
performance expectations are documented
Related KRIs/KPIs: IT Service Provider SLA
and managed correctly. Vendor disputes can
Adherence
open the company to risk related to missed
deadlines, service interruptions and diminished
23. Percentage of Systems Running
vendor relationships (forcing the organization
without Current Maintenance to spend time and money to identify, authorize
Contract - All Systems and brief a new vendor). This can be
Definition: The number of actively used particularly vital when dealing with IT vendors.
systems or applications that do not have a Formula: Count of Formal Disputes with IT
current maintenance contract in place as Vendors
a percentage of total systems/applications
managed at the same point in time. Related KRIs/KPIs: IT Vendor Service
Level Agreement Adherence, Percentage of
Rationale: This metric measures the degree Applications Running With a Current Service
to which systems are covered by maintenance Level Agreement
contracts. A high value for this metric may
indicate that there are several systems without 25. Number of IT Projects Canceled
current maintenance contracts in place, which
After Kick-off Within Last 6 Months
can be a leading indicator of potential issues
in the future arising from system malfunctions Definition: The number of IT projects that
or repairs where there is not an external SME were canceled at some point following the
available to provide support in order to correct initial project startup due to lack of alignment
the issue within a reasonable timeframe. with corporate strategy or planning over the
last 6 months.
Formula: (Number of Systems without
Current Maintenance Contract in Place / Total Rationale: This metric measures the IT
Number of Systems Managed) * 100 function’s alignment with corporate strategy,
as well as their ability to deliver projects
Related KRIs/KPIs: IT Service Provider SLA
based on stakeholder needs and business
Adherence
requirements. Canceled IT projects reflect
poorly on all involved parties, but particularly
24. Number of Disputes with IT on IT management. Risks related to canceled
Vendors IT projects involves opportunity cost (i.e.,
Definition: The total number of formal time spent on cancelled project could have
disputes that took place between the company been used elsewhere), missed deadlines and
and IT-related vendors over the last 3 months. decreased employee and investor satisfaction.
Vendor disputes may arise due to poor vendor Formula: Count of IT Projects Formally
performance, payment issues and/or project Canceled within Last 6 Months
scope misalignment (i.e., scope “creep”),
among other things. Related KRIs/KPIs: Percentage of IT
Projects Completed On-Schedule, Percentage
of IT Projects Completed On-Budget, Number
of IT Projects that Required Rework Due to
Misaligned Requirements Within the Last 90
Days
29
26. Percentage of IT Projects Related KRIs/KPIs: Percentage of IT
Delayed Projects Delayed
Definition: The number of IT projects that 28. IT Budget Variance (Actual vs.
are NOT completed before or on their initial
Budgeted)
planned completion (i.e., delayed projects)
date as a percentage of total IT projects Definition: The difference in planned (i.e.,
completed over the same period of time. budgeted) versus actual IT expense for the
entire IT department, or function, during
the measurement period, measured as a
function’s ability to properly document
percentage.
and plan projects, and adhere to related
requirements. Poor planning, misaligned Rationale: This metric measures variance
resources and/or excessive approval levels or from planned IT department budget, whether
stage gates may delay IT projects, leading actual expenditures are below or above
to risk related to opportunity costs (i.e., the budgeted amount, can be indicative
excess time spent on project could have been of poor planning and/or lack of alignment
used elsewhere), lost revenue due to missed with corporate strategy within day-to-day IT
deadlines and potential vulnerabilities that operations.
would have been addressed had the project Formula: ((Actual IT Expense - Budgeted IT
launched on-time. Expense) / Budgeted IT Expense) * 100
Formula: (Number of IT Projects Not Related KRIs/KPIs: Percentage of IT
Completed On-Schedule / Total Number of IT Projects Delayed, Percentage of IT Projects
Projects Scheduled for Completion) * 100 That Exceeded Budget
Related KRIs/KPIs: Percentage of IT
Projects That Exceeded Budget
Technology Infrastructure
27. Percentage of IT Projects That Risks
Exceeded Budget
Definition: The number of IT projects 29. Mean Time Between Failure
that exceed the initially developed budget (MTBF) - All Systems
parameters as a percentage of total IT Definition: The average amount of time
projects completed over the same period of (measured in days) elapsed between system
time. failures, measured from the moment the
Rationale: This metric measures IT system initially fails, until the time that
function’s ability to forecast project costs and the next failure occurs (including the time
secure the appropriate budgetary approvals, required to perform any repairs after the initial
as well as their ability to deliver the project failure).
using the allocated budget. Over-budget IT Rationale: This metric measures the stability
projects carry far more risks than simply of systems following a resumption of service
budget overruns - they can be indicative of (i.e., a repair following a failure), as well as
poor project scoping, mis-aligned resources the IT function’s ability to regularly develop
and a lack of diligent requirements gathering. and release stable services (initial releases
Formula: (Number of IT Projects Completed and changes). A large value for this metric
Over Budget / Total Number of IT Projects may indicate that systems are unstable and
Completed) * 100 underlying architecture must be further
examined. This is particularly vital for critical
customer-facing systems.
30
Formula: (Sum of time between failures for all Rationale: This metric measures the IT
systems) / (Number of failures that occurred function’s ability to respond to and resolve
during examination period across all systems a system or application failure, or service
- 1) interruption, and ensure that the resolution is
rolled out to all required workstations, devices,
Related KRIs/KPIs: Mean Time to Repair
servers, etc. A large value for this metric
(MTTR) - All Systems
may indicate that the IT function’s response
procedures are lacking and/or that systems
30. Percent Difference in MTBF
are not built in such a way that facilitates
(Monthly) speedy debugging and recovery.
Definition: The difference in Mean Time Formula: (Sum of time to repair for all
Between Failure (MTBF) from month-to-month systems) / (Number of repairs completed
for the group of systems being examined, during examination period across all systems)
measured as a percentage.
Related KRIs/KPIs: Mean Time Between
Rationale: This metric measures the stability Failure (MTBF) - All Systems
of systems following a resumption of service
(i.e., a repair following a failure), as well as
32. Percent Difference in MTTR
the IT function’s ability to regularly develop
and release stable services (initial releases (Monthly)
and changes). The percent difference from Definition: The difference in Mean Time to
month-to-month for this metric can indicate Repair (MTTR) from month-to-month for the
the directional performance of the IT team in group of systems being examined, measured
releasing, patching and maintaining services as a percentage.
over time (i.e., from one month to the next).
Formula: ((MTBF for Most Recent Month - function’s ability to respond to and resolve
MTBF for Previous Month) / MTBF for Previous a system or application failure, or service
Month) * 100 interruption, and ensure that the resolution is
Related KRIs/KPIs: Mean Time Between rolled out to all required workstations, devices,
Failure (MTBF) - All Systems servers, etc. An increasing value for this
metric may indicate that the performance of
the IT team is decreasing, which can be due
31. Mean Time to Repair (MTTR) -
to a larger than usual volume of failures (i.e.,
All Systems increased workload), hard to resolve failures,
Definition: The average amount of time or simply due to poor performance.
(measured in hours) required to repair a Formula: ((MTTR for Most Recent Month -
system or application to full functionality MTBF for Previous Month) / MTTR for Previous
following a failure (i.e., a service interruption), Month) * 100
measured from the time that the failure occurs
until when the repair is completed and rolled Related KRIs/KPIs: Mean Time to Repair
out to all required locations (servers, devices, (MTTR) - All Systems
workstations, etc.).
31
33. System Availability - All Formula: (System Uptime + Scheduled
Systems Maintenance Time) / (System Uptime +
Scheduled Maintenance Time + Unscheduled
Definition: The amount of time (measured Downtime) * 100
in minutes) that ALL systems are online
and available for use by all authorized users Related KRIs/KPIs: Mean Time Between
divided by the total amount of time those Failure (MTBF) - All Systems, Mean Time to
systems are scheduled to be available for Repair (MTTR) - All Systems
use over the same period of time, as a
percentage. 35. Number of Instances Where
Systems Exceeded Capacity
overall performance and uptime of systems. Requirements
System service interruptions/failures expose Definition: The total number of instances
the company to reputational, financial and (i.e., a specific point in time) where systems
operational risks. This value should be near exceeded the pre-defined capacity threshold,
100%, as system downtime can directly measured in transactions or requests per
relate to lost revenue, poor productivity and second, within the measurement period.
decreased client satisfaction.
Formula: (System Uptime + Scheduled diligence of the organization’s capacity
Maintenance Time) / (System Uptime + monitoring practices and the corresponding
Scheduled Maintenance Time + Unscheduled adjustments of capacity requirements and
Downtime) * 100 use based on detected patterns. Capacity
Related KRIs/KPIs: Mean Time Between constraints can cause performance
Failure (MTBF) - All Systems, Mean Time to degradation and may be a pre-cursor to
Repair (MTTR) - All Systems failure (i..e, service interruption).
Formula: Count of Instances Where
34. System Availability During Requests/Transactions per Second Exceeded
Trading Hours - All Systems Defined Threshold
Definition: The amount of time (measured Related KRIs/KPIs: Mean Time Between
in minutes) that ALL systems are online and Failure (MTBF) - All Systems, Mean Time
available for use during trading hours (10am- Between Failure (MTBF) - All Systems,
3pm, Sunday-Thursday) by all authorized System Availability - All Systems
users divided by the total amount of time
those systems are scheduled to be available 36. Percentage of System/
for use over the same period of time, as a Application Downtime Caused by
percentage. Inadequate Server Capacity
Rationale: This metric measures the Definition: The amount of system downtime,
overall performance and uptime of systems or service interruption time, that was caused
during peak business hours. System service specifically by insufficient capacity (i.e.,
interruptions expose the company to requests/transaction load directly caused
reputational, financial and operational risks. failure) as a percentage of total unplanned
This value should be near 100%, as system downtime within the measurement period.
downtime can directly relate to lost revenue
and decreased client satisfaction.
32
Rationale: This metric measures the 38. Mean Network Bandwidth
diligence of the organization’s server capacity Utilization Rate - Overall (30 Minute
monitoring practices and related risk arising Intervals)
from services interruptions due to capacity
issues. IT staff should be alerted to capacity Definition: The average utilization rate
issues in an automated fashion, thus reducing (i.e., percentage of total available network
potential related downtime. Controls should bandwidth capacity being used), measured as
be put in place to quickly scale up capacity a ratio of current network traffic to the total
in order to avoid impending downtime or amount of traffic that the network, or port,
performance degradation. being examined can handle.
Formula: (Sum of Downtime Caused by Rationale: This metric measures the capacity
Capacity Issues) / (Sum of Total Unplanned of the company’s network infrastructure and
Downtime Caused by All Issues) * 100 the IT function’s ability to monitor and scale
network capacity to avoid instances of network
Related KRIs/KPIs: Mean Time Between failure which can lead to financial, reputational
Failure (MTBF) - All Systems, Mean Time and operational harm. Furthermore, high
Between Failure (MTBF) - All Systems, System network capacity utilization may be indicative
Availability - All Systems of potential external security risks.
37. Percentage of Downtime Due to Formula: Sum of Mean Network Bandwidth
Scheduled Activities - All Systems Utilization Across All 30 Minute Intervals /
Total Number of 30 Minute Intervals Within
Definition: The total amount of downtime, Measurement Period
measured in minutes, that has been set
aside and used by the IT function for planned Related KRIs/KPIs: Number of Instances
system maintenance activities (as opposed to Where Network Bandwidth Utilization
unplanned downtime) as a percentage of total Exceeded Threshold
downtime (planned and unplanned) during the
measurement period. 39. Number of Instances Where
Network Bandwidth Utilization
Rationale: This metric measures the amount Exceeded Threshold
of time that the IT team has scheduled for
routine and preventative maintenance to Definition: The total number of instances
ensure that systems and applications continue during the measurement period where
to perform as intended throughout their life. network bandwidth capacity exceed a defined
While scheduled downtime is unavoidable, it threshold (identified through network testing
should be scheduled during times of minimal and monitoring) at which the network begins
activity (both internal and external). to exhibit request delays, low transmission
speeds, etc.
Formula: (Sum of Downtime Caused by
Planned or Scheduled Maintenance Activities / Rationale: This metric measures the IT
Total Downtime) * 100 function’s ability to monitor network capacity
and adjust based upon trends in network
Related KRIs/KPIs: System Availability - All utilization and use patterns to ensure that
Systems quality of service remains high. During periods
of increased activity (i.e., near, at or beyond
threshold network utilization), performance
degradation may cause poor customer
experience, lost revenue and/or poor internal
productivity.
33
Formula: Count of Instances Where Network Rationale: This metric measures the IT
Bandwidth Capacity Exceeds Threshold function’s ability to monitor network capacity
Related KRIs/KPIs: Mean Network
utilization and use patterns to ensure that
Bandwidth Utilization Rate - Overall (30
quality of service remains high. During
Minute Intervals)
periods of increased activity (i.e., near, at
or beyond threshold network utilization),
40. Mean Network Hardware
performance degradation may cause poor
Utilization Rate - Overall (30 customer experience, lost revenue and/or
Minute Intervals) poor internal productivity.
Definition: The average utilization rate Formula: Count of Instances Where Network
(i.e., percentage of total available network Hardware Capacity Exceeds Threshold
hardware capacity being used), measured as
a ratio of current network traffic to the total Related KRIs/KPIs: Mean Network
amount of traffic that the network, or port, Hardware Utilization Rate - Overall (30 Minute
being examined can handle. Intervals)
Rationale: This metric measures the IT 42. Percentage of System Releases
function’s ability to monitor network capacity
Not Mirrored on Backup Systems
utilization and use patterns to ensure that Within 24 Hours Following Launch
quality of service remains high. During - All Systems
periods of increased activity (i.e., near, at Definition: The number of releases that
or beyond threshold network utilization), were successfully launched to the live
performance degradation may cause poor environment that were not mirrored on
customer experience, lost revenue and/or backup systems within 24 hours following the
poor internal productivity. successful launch as a percentage of total
Formula: Sum of Mean Network Hardware changes successfully performed during the
Utilization Across All 30 Minute Intervals / measurement period.
Total Number of 30 Minute Intervals Within Rationale: This metric measures the IT
Measurement Period function’s adherence to backup procedures
Related KRIs/KPIs: Number of Instances and protocols. Failure to backup successful
Where Network Hardware Utilization releases in a timely fashion can lead to data
Exceeded Threshold loss, rework and future downtime (both
internal and customer-facing). Backups of this
41. Number of Instances Where scale should be automated and/or built into
the release process to ensure that they are
Network Hardware Utilization
done in a timely fashion with minimal human
Exceeded Threshold intervention required.
Definition: The total number of instances Formula: (Number of Successful Releases
during the measurement period where Not Backed up Within 24 Hours / Total
network hardware capacity exceed a defined Number of Successful Releases) * 100
threshold (identified through network testing
and monitoring) at which the network begins Related KRIs/KPIs: Percentage of Systems
to exhibit request delays, low transmission Undergoing New Releases - All Systems
speeds, etc.
34
43. Percentage of System Changes Formula: (Number of Systems without Most
Not Mirrored on Backup Systems Recent Patch Running / Total Number of
Within 24 Hours Following Launch - Critical Systems Running) * 100
All Systems Related KRIs/KPIs: Percentage of Changes
Definition: The number of system changes Considered Emergency Changes
that were successfully launched to the live
environment that were not mirrored on 45. Percentage of Critical System
backup systems within 24 hours following the Backups that are Not Fully
successful launch as a percentage of total Automated
changes successfully performed during the Definition: The number of critical systems
measurement period. without an automated (i.e., no manual work
Rationale: This metric measures the IT required) backup currently configured and
function’s adherence to backup procedures running accurately as a percentage of total
and protocols. Failure to backup successful critical system backups (automated and
changes in a timely fashion can lead to data manual).
loss, rework and future downtime (both Rationale: This metric measures the IT
internal and customer-facing). Backups of this function’s backup management practices and
scale should be automated and/or built into risk related to data loss or system/application
the change process to ensure that they are downtime related to out of date backups.
done in a timely fashion with minimal human Highly manual backup management practices
intervention required. also leaves the organization open to human
Formula: (Number of Successful Changes Not error. Automated backups should be managed
Backed up Within 24 Hours / Total Number of through a central application, and notifications
Successful Changes) * 100 should be send to administrators when
backups are not run successfully, or when a
Related KRIs/KPIs: Percentage of Systems change to backup configuration is detected.
Undergoing Changes - All Systems
Formula: (Number of Critical System Backups
44. Percentage of Critical Systems That are Not Automated / Total Number of
without Up-to-Date Patches Critical System Backups) * 100
Definition: The total number of critical Related KRIs/KPIs: Percentage of Critical
systems (all deployed instances of the system System Backups that are Automated, Critical
or application running on each device/ System Backup Failure Rate, Percentage of
workstation) that do not currently have up- Critical Systems with Backups Performed
to-date patches installed and running as a Within Threshold
percentage of total critical system end user
devices/workstations. This metric may also be 46. Total Number of Critical System
known as “Patch Coverage Rate.” Backup Failures
Rationale: This metric measures the IT Definition: The total number of critical system
function’s ability to efficiently and successfully backup processes that failed (i.e., did not run,
roll out patches to all required end points. were not captured in-full, were captured with
Poor patch and change management practices errors, etc.) to complete or run properly during
expose the company to risk related to un- the measurement period.
patched security vulnerabilities and system/
application shortcomings (instability, poor user
experience, etc.).
35
Rationale: This metric measures the 48. Percentage of Servers that
IT function’s ability to configure backup have Not Received a Full Malware
processes that run successfully with minimal Scan Within Last 24 Hours
intervention. Poor backup management
exposes the company to risk related to lost Definition: The number of servers that
data and system downtime (internal and have not undergone a full, successful virus
external). Backups should be configured scan with that last 24 hours as a percentage
to run with little or no human interaction. of total active servers managed by the
Furthermore, backups must be monitored to organization.
ensure that they are taken before and after Rationale: This metric measures the
each instance of a release or change. This is IT function’s established practices and
particularly important for critical systems. adherence to malware and virus scanning
Formula: Number of Attempted Critical procedures. Poor controls in this area leave
System Backups That Resulted In a Failure the company open to malware infections
which can lead to data leaks, stolen
Related KRIs/KPIs: Percentage of Critical credentials, performance degradation, etc.
System Backups that are Automated, Critical These risks are easily avoidable through
System Backup Failure Rate, Percentage of discipline in this area.
Critical Systems with Backups Performed
Within Threshold Formula: (Number of Servers Where Full
Malware Scan Has Not Been Performed
47. Percentage of Workstations Within Last 24 Hours / Total Number of
that have Not Received a Full Servers Managed by the Organization) * 100
Malware Scan Within Last 24 Related KRIs/KPIs: Percentage of Servers
Hours Not Running Updated Anti-Malware Controls
Definition: The number of workstations that 49. Percentage of Mobile Devices
have not undergone a full, successful virus
scan with that last 24 hours as a percentage
that have Not Received a Full
of total active workstations managed by the Malware Scan Within Last 24
organization. Hours
Rationale: This metric measures the Definition: The number of mobile devices
IT function’s established practices and that have not undergone a full, successful
adherence to malware and virus scanning virus scan with that last 24 hours as a
procedures. Poor controls in this area leave percentage of total active mobile devices
the company open to malware infections managed by the organization.
which can lead to data leaks, stolen Rationale: This metric measures the
credentials, performance degradation, etc. IT function’s established practices and
These risks are easily avoidable through adherence to malware and virus scanning
discipline in this area. procedures. Poor controls in this area leave
Formula: (Number of Workstations Where the company open to malware infections
Full Malware Scan Has Not Been Performed which can lead to data leaks, stolen
Within Last 24 Hours / Total Number of credentials, performance degradation, etc.
Workstations Managed by the Organization) These risks are easily avoidable through
* 100 discipline in this area.
Related KRIs/KPIs: Percentage of Formula: (Number of Mobile Devices Where
Workstations Not Running Updated Anti- Full Malware Scan Has Not Been Performed
Malware Controls Within Last 24 Hours / Total Number of
Mobile Devices Managed by the Organization)
* 100
36
Related KRIs/KPIs: Percentage of Devices Formula: (Number of Workstations Not
Not Running Updated Anti-Malware Controls Running Compliant and Up-to-Date Malware
Protection / Total Number of Workstations
50.Percentage of Devices Not Managed by the Organization) * 100
Running Updated Anti-Malware Related KRIs/KPIs: Percentage of
Controls Workstations that have Not Received a Full
Definition: The number of devices Malware Scan Within Last 24 Hours
(workstations, servers, mobile devices)
managed by the company that are not 52. Percentage of Servers Not
currently running fully up-to-date anti-malware Running Updated Anti-Malware
protection as a percentage of total devices Controls
managed by the organization.
Definition: The number of servers managed
Rationale: This metric measures the IT by the company that are not currently running
function’s diligence in ensuring that devices fully up-to-date anti-malware protection as a
are running compliant anti-malware software percentage of total active servers managed by
at all times. Lack of diligence in this area leads the organization.
to avoidable risk related to data leaks, misuse
of data, stolen credentials, performance
function’s diligence in ensuring that servers
degradation, and other internal/external
are running compliant anti-malware software
threats.
at all times. Lack of diligence in this area leads
Formula: (Number of Devices Not Running to avoidable risk related to data leaks, misuse
Compliant and Up-to-Date Malware Protection of data, stolen credentials, performance
/ Total Number of Devices Managed by the degradation, and other internal/external
Organization) * 100 threats.
Related KRIs/KPIs: Percentage of Devices Formula: (Number of Servers Not Running
that have Not Received a Full Malware Scan Compliant and Up-to-Date Malware Protection
Within Last 24 Hours / Total Number of Servers Managed by the
Organization) * 100
51. Percentage of Workstations Related KRIs/KPIs: Percentage of Servers
Not Running Updated Anti-Malware that have Not Received a Full Malware Scan
Controls Within Last 24 Hours
Definition: The number of workstations
managed by the company that are not 53. Percentage of Mobile Devices
currently running fully up-to-date anti- Not Running Updated Anti-Malware
malware protection as a percentage of active Controls
workstations managed by the organization.
Definition: The number of mobile devices
Rationale: This metric measures the managed by the company that are not
IT function’s diligence in ensuring that currently running fully up-to-date anti-malware
workstations are running compliant anti- protection as a percentage of active mobile
malware software at all times. Lack of devices managed by the organization.
diligence in this area leads to avoidable risk
related to data leaks, misuse of data, stolen
credentials, performance degradation, and
other internal/external threats.
37
Rationale: This metric measures the IT 55. Percent Increase in Number of
function’s diligence in ensuring that mobile Attacks on Firewall (Weekly)
devices are running compliant anti-malware
software at all times. Lack of diligence in this Definition: The percent difference in the
area leads to avoidable risk related to data number of attacks on the company’s firewall
leaks, misuse of data, stolen credentials, that were detected during the previous two
performance degradation, and other internal/ calendar weeks.
external threats. Rationale: This metric measures the
Formula: (Number of Mobile Devices Not change in malicious activity detected by
Running Compliant and Up-to-Date Malware the company’s firewall protection protocols.
Protection / Total Number of Mobile Devices A large increase in attacks against the
Managed by the Organization) * 100 company’s firewall may indicate that certain
firewall are in need of review due to a
Related KRIs/KPIs: Percentage of Mobile potential vulnerability, or that the organization
Devices that have Not Received a Full is increasingly becoming the target of
Malware Scan Within Last 24 Hours malicious outside attacks.
54. Percentage of Firewall Rules Formula: ((Number of Firewall Attacks During

Most Recent Week - Number of Firewall
Added or Changed Within Last
Attacks During Previous Week) / Number of
90 Days That Were Formally Firewall Attacks During Previous Week) * 100
Documented
Related KRIs/KPIs: Number of Firewall
Definition: The number of changes to firewall Reviews Conducted, Average Time Elapsed
rules that were applied to the company’s Between Formal Reviews of Firewall Rules
firewall (across all firewall applications/
systems in use) that were formally 56. Number of Unused Firewall
documented according to the company’s Rules
policies/procedures as a percentage of total
firewall rule changes applied within the last Definition: The total number of firewall rules
90 calendar days. (across all firewall applications/systems in
use) that were found to no longer be in use
Rationale: This metric measures the during formal or informal firewall rule reviews
IT function’s protocols related to firewall conducted during the measurement period.
rule change and addition documentation.
Poor documentation related to firewall rule Rationale: This metric measures the IT
documentation may leave the company function’s protocols related to ensuring
open to risk related to firewall rules that may that unused or expiring firewall rules are
conflict with others, or may not be compliant continuously refreshed and audited. Unused
with certain internal or external protocols firewall rules may leave the door open for
(e.g., PCI DSS, etc.). malicious attacks, conflict with other rules
rendering them useless, and/or degrade
Formula: (Number of Firewall Rule Changes firewall performance. For example, an
or Additions Formally Documented / Total outdated firewall rule may have left a port
Number of Firewall Changes or Additions) * open for an internal application that is no
100 longer in use, allowing data to flow out of the
Related KRIs/KPIs: Number of Unused organization through that port.
Firewall Rules, Average Time Elapsed Formula: Count of Unused or Expired Firewall
Between Formal Reviews of Firewall Rules Rules Identified
38
Related KRIs/KPIs: Average Time Elapsed Related KRIs/KPIs: Percentage of Firewall
Between Formal Reviews of Firewall Rules, Rules Added or Changed Within Last 90 Days
Percentage of Firewall Rules Added or That Were Formally Documented, Number of
Changed Within Last 90 Days That Were Unused Firewall Rules
Formally Documented
59. Number of Servers
57. Number of Firewall Reviews Experiencing Hardware-related
Conducted Performance Issues Within the Last
Definition: The total number of formal firewall 90 Days
configuration reviews conducted by IT team Definition: The number of servers that have
members during the measurement period. experienced hardware-related performance
Rationale: This metric measures the IT issues during the last 90 calendar days as a
function’s standard procedures related to percentage of total servers operated by the
formal firewall rule reviews. Firewall rule company.
reviews may identify the need for additional Rationale: This metric measures the
rules and also point out unused rules - both performance, maintenance and overall
of these actions improve overall security, health of the company’s servers. Poor server
improve firewall performance, and ensure that performance can directly lead to application
unused rules (open ports, etc.) cannot be used performance issues, website slow downs,
by external attackers to facilitate the flow of and low productivity. These items, in turn,
information out of the organization. can open the company up to risk related
Formula: Count of Formal Firewall Reviews to poor customer service/experience, lost
Conducted revenue and/or increased probability of server
failure leading again to lost information and/
Related KRIs/KPIs: Average Time Elapsed or revenue.
Between Formal Reviews of Firewall Rules
Formula: Count of Servers Experiencing
58. Average Time Elapsed Between Performance Issues
Formal Reviews of Firewall Rules Related KRIs/KPIs: Percentage of Servers
Definition: The average number of calendar that have Received a Full Malware Scan Within
days elapsed between formal firewall rules Last 24 Hours
reviews conducted by the company to
determine if rules must be added, removed or 60. Number of Workstations
edited to meet current operating requirements. Experiencing Hardware-related
Performance Issues Within the Last
function’s standard procedures related to
90 Days
formal firewall rule reviews. Firewall rule Definition: The number of individual
reviews may identify the need for additional workstations that have experienced
rules and also point out unused rules - both performance issues during the last 90
of these actions improve overall security, calendar days as a percentage of total
improve firewall performance, and ensure that workstations operated by the company.
unused rules (open ports, etc.) cannot be used
by external attackers to facilitate the flow of
information out of the organization.
Formula: Number of Calendar Days During
Measurement Period / (Number of Formal
Firewall Rule Reviews Conducted During
Measurement Period )
39
Rationale: This metric measures the Telecommunications &
performance, maintenance and overall Connectivity Risks
health of the workstations managed by
the organization. Excessive workstation
performance issues may lead to low 62. Network Availability
productivity, issues fulfilling customer Definition: The amount of time (measured
requests and loss of information. These in minutes) that the company’s network
issues, in turn, can indirectly lead to lost is available for use by all authorized users
revenue, customer dissatisfaction and divided by the total amount of time the
avoidable costs related to correcting network is scheduled to be available for
performance issues and replacing use over the same period of time, as a
workstations. percentage.
Formula: Count of Workstations Experiencing Rationale: This metric measures the overall
Performance Issues performance and uptime of the company’s
Related KRIs/KPIs: Percentage of network. Network interruptions/failures
Workstations that have Received a Full expose the company to reputational, financial
Malware Scan Within Last 24 Hours and operational risks. This value should be
near 100%, as network downtime can directly
61. Deployed Hardware Utilization relate to lost revenue, poor productivity and
Ratio (DH-UR) decreased client satisfaction.
Definition: The ratio of number of servers Formula: (Network Uptime + Scheduled
that are running live applications used by the Maintenance Time) / (Network Uptime +
organization to the total number of servers Scheduled Maintenance Time + Unscheduled
currently managed, or deployed by the Downtime) * 100
organization at the time of measurement. Related KRIs/KPIs: Mean Time Between
Rationale: This metric measures the amount Failure (MTBF) - All Systems, Mean Time to
of data center energy being used to power Repair (MTTR) - All Systems
servers that are not used to run applications.
A value for this metric that is too high may 63. Percentage of Network
be indicative of an impending power failure Devices Not Meeting Configuration
or overload due to mis-managed data center Standards
energy, which can cause catastrophic The total number of network devices
downtime, leading to lost revenue, poor (modems, routers, switches, etc.) that were
customer experience, low productivity and found not to be in compliance the company’s
reputational harm. pre-defined configuration standards as a
Formula: Number of Servers Running Live percentage of total network devices under
Applications / Total Number of Servers management at the same point in time.
Deployed Rationale: This metric measures the IT
Related KRIs/KPIs: Percentage of Critical function’s diligence in ensuring that network
Systems with Backups Performed Within devices are configured properly. Improper
Threshold configuration can lead to increased risk
related to security incidents (internal and
external), network performance degradation
and network outages.
40
Formula: (Number of Network Devices Not
Meeting All Configuration Standards / Total
Number of Network Devices Managed) * 100
Related KRIs/KPIs: Mean Network
Bandwidth Utilization Rate - Overall (30
Minute Intervals), Number of Instances Where
Network Bandwidth Utilization Exceeded
Threshold
64. Number of Network Outages

Attributed to Internet Service
Provider
The number of network outages that can be
attributed to the company’s Internet Service
Provider (ISP), rather than an internal source,
during the measurement period.
quality and reliability of service related to
the company’s ISP. ISP network outages
leave the company open to risk related to
low productivity, poor customer service/
experience, loss of data/information and loss
of revenue. ISP service issues are particularly
worrisome because they are almost wholly out
of the company’s control (i.e., managed by an
external third party).
Formula: Count of Network Outage Events
Where ISP is Responsible Party
Related KRIs/KPIs: Percentage of Network
Devices Meeting Configuration Standards
41
You can’t manage risk
without knowing what
to measure.
Our standard IS & IT Key Risk
Indicators help organizations
quantify and monitor risk.
Building a world-class risk
management function requires
analytics and dashboards to
stay ahead of potential threats.
OpsDog can help you get there.
Call OpsDog at 844.650.2888 or
e-mail us at info@opsdog.com
This content may not be copied, distributed, republished, uploaded, posted

or transmitted in any way without the prior written consent of OpsDog, Inc.

KRIHandbook OpsDog InformationSecurityTechnology

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

KRIHandbook OpsDog InformationSecurityTechnology

Uploaded by

Copyright:

Available Formats

A Collection of Key Risk Indicators for

It will help you pinpoint areas in need

We would like to help.

Did you know that OpsDog has helped

Think of that as you page through this book.

Then call 844.650.2888 or visit

Information Security &

Information Technology ��21

This content may not be copied, distributed, republished, uploaded, posted

41. Mean Time to Deactivate Formula: Count of All Employees Whose

54. Percentage of Firewall Rules Formula: ((Number of Firewall Attacks During

64. Number of Network Outages

This content may not be copied, distributed, republished, uploaded, posted

You might also like

KRIHandbook OpsDog InformationSecurityTechnology

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

KRIHandbook OpsDog InformationSecurityTechnology

Uploaded by

Copyright:

Available Formats

A Collection of Key Risk Indicators for

It will help you pinpoint areas in need

We would like to help.

Did you know that OpsDog has helped

Think of that as you page through this book.

Then call 844.650.2888 or visit

Information Security &

Information Technology ���������������������21

This content may not be copied, distributed, republished, uploaded, posted

41. Mean Time to Deactivate Formula: Count of All Employees Whose

54. Percentage of Firewall Rules Formula: ((Number of Firewall Attacks During

64. Number of Network Outages

This content may not be copied, distributed, republished, uploaded, posted

You might also like

Information Technology ��21