List of Information Security Metrics to Track


Organizational

  • Information Security Budget as Percentage of IT Budget
  • Information Security Budget Spend Breakdown
  • Percentage of Users With Security Exceptions
  • Percentage of Staff Fully Trained on Infosec Awareness
  • Compliance Percentages (PCI/SOX/HIPAA/etc.)
  • Employee Behavior Metrics (hunting anomalies to correlate to risk factors)

Operational

Patch Management

  • Average - Length of time to patch systems
  • Average - Length of time to patch network components
  • Percentage of systems in compliance with organizationally mandated configuration guidance
  • Percentage of managed systems for which an automated patch management process is used
  • Average - Length of time from patch release to patch installation

Vulnerability Management

Infrastructure

  • Percentage of managed systems checked for vulnerabilities in accordance with the organization's policy
  • Average - Length of time for the organization to mitigate identified managed systems vulnerabilities.
  • Percentage of systems without“high severity vulnerabilities based on Common Vulnerability Scoring System (CVSS) scoring

Application

  • Average - Length of time for the organization to mitigate identified Hackerone Submitted vulnerabilities.

Access Control and Identity Accessment Management (Okta)

  • Average Number of Account Lockouts
  • Percentage of users for whom privileges can be modified dynamically
  • Percentage of such users whose privileges are modified dynamically
  • Percentage of system services for which privileges can be modified randomly
  • Percentage of such resources for which privileges are modified randomly
  • Random reviews performed on privilege definitions/assignments [yes/no]
  • Percentage of cyber resources to which access is controlled based on criticality
  • Percentage of cyber resources to which access is controlled based on sensitivity
  • Percentage of users with privileged/administrator access

Data Management

  • Percentage of cyber resources which are backed up
  • Percentage which are backed up into hot backups
  • Percentage which are backed up into cold / archival storage
  • Time since restoration / reconstitution processes were last exercised
  • Average time to restore
  • Average time to back up
  • Frequency of backup

Business Continuity and Disaster Recovery

  • Percentage of information systems for which annual testing of contingency plans has been conducted.
  • Time between initiation of recovery procedures and completion of  documented milestones in the recovery, contingency, or continuity of  operations plan
  • Time between event or detected circumstances which motivated recovery procedures and achievement of [minimum acceptable, target] mission MOPs
  • Percentage of mission capabilities for which [minimum acceptable, target]  MOPs are achieved within [minimum threshold, target] period of time  since initiating event
  • Percentage of mission-critical cyber resources which are recovered from a backup
  • Size of gap between lost and recovered mission-critical resources (time service or connection was unavailable, number of records not recovered)
  • Percentage of mission-essential processes and interfaces restored to pre-disruption state
  • Length of time to reconstitute a key information asset from a backup data store
  • Percentage of non-mission-critical resources which are recovered from a backup
  • Percentage of cyber resources for which access control is maintained throughout the recovery process
  • Percentage of cyber resources for which access controls at multiple levels  or using different mechanisms are maintained consistently throughout the  recovery process
  • Percentage of cyber resources for which auditing or monitoring is maintained throughout the recovery process
  • Duration of gap in auditing or monitoring for [mission-critical resource, non-mission-critical resource] during recovery.

Change Management

  • Mean-time to Complete Changes
  • Percent of Changes with Security Review
  • Percentage of Changes with Security Exceptions
  • Number of Non-managed Changes (outside of formal process)
  • Percentage of cyber resources which can be reconfigured on demand
  • Time between decision to reconfigure resources and completion of reconfiguration
  • Percentage of cyber resources which can be [automatically, manually] reconfigured
  • Time between decision to redeploy resources and completion of redeployment
  • Number of differences between initial set of resources and redeployed set
  • Percentage of cyber resources that are properly configured