|
Using metrics & scorecards to show evidence of compliance
A Security Metrics Program is the cornerstone of an effective governance strategy. Metrics affirm the existence, effectiveness, and efficiency of security controls. Scorecards communicate internal control performance to all stakeholders, and provide the insights needed for instituting corrective action plans. Used together, metrics and scorecards facilitate your governance program and provide confirmative evidence of controls.Use Metrics to Demonstrate Compliance Governance often stipulates that the organization must demonstrate the existence of internal controls to ensure the confidentiality, integrity, and availability of critical systems and information. But the rules and regulations do not explicitly identify how to demonstrate the presence of internal controls. Since you cannot measure an entity that does not exist, metrics are an effective way to prove that your organization has internal controls in place. By implementing a Security Metrics Program, your organization can demonstrate hard facts and data that establish not only the existence but also the performance of internal controls. Automated metrics are atomic and transparent, making it faster, easier, and less costly to satisly audits. Use Metrics to Evaluate Efficacy of Internal Controls Internal controls are the compilation of security processes defined by security policies or goals. The intent of internal controls is to provide well-defined procedures to ensure the success and efficiency of IT security operations. Effective internal controls allow continuous improvement to the confidentiality, integrity, and availability of business-critical systems, assets, and information. A meaningful definition of "effectiveness" must be based on a frame of reference. The frame of reference can be a benchmark, organizational goal, industry standard, or derived from past performance. Metrics provide the means to evaluate the effectiveness of an organization's internal controls by measuring performance and analyzing key performance indicators against the frame of reference. Based on the analysis provided by metrics, executives can more accurately evaluate the effectiveness of their internal controls and identify deficiencies. Using multiple metrics in conjunction, executives can analyze and project the impact that changes and improvements to internal controls would have on the organization's security posture. The table below demonstrates how the ClearPoint meets each of the above requirements: | Governance Requirements | ClearPoint Solution | | Demonstrate establishment of internal controls | For a metric to exist there needs to be an entity for it to measure. The implementation of a metric indicates that there is an internal control in place. | | Regularly evaluate effectiveness of internal controls | Metrics provide key indicators of performance against goals established for effectiveness and efficiency. | | Identify deficiencies with internal controls and provide appropriate corrective action plan | Viewing metric results in a scorecard allows the organization to identify shortfalls and to understand the relationship between actions taken and results observed. This is precisely the insight needed to identify the adjustments needed to drive improvement. | | Third-party auditor to affirm internal control efficacy | Metrics are atomic and transparent allowing third-party auditors to evaluate internal controls independently. | | Report evaluation of internal control efficacy and corrective actions | Scorecards provide the medium through which the state of internal controls is expressed. Annotation allows security managers to note plans to address deficiencies. | Learn more about how the ClearPoint™ and the Security Compliance Best Practice Package can facilitate your governance and compliance program.
|