Information Security Budget as Percentage of IT Budget
Information Security Budget Spend Breakdown
Percentage of Users With Security Exceptions
Percentage of Staff Fully Trained on Infosec Awareness
Compliance Percentages (PCI/SOX/HIPAA/etc.)
Employee Behavior Metrics (hunting anomalies to correlate to risk factors)
Operational
Patch Management
Average - Length of time to patch systems
Average - Length of time to patch network components
Percentage of systems in compliance with organizationally mandated configuration guidance
Percentage of managed systems for which an automated patch management process is used
Average - Length of time from patch release to patch installation
Vulnerability Management
Infrastructure
Percentage of managed systems checked for vulnerabilities in accordance with the organization's policy
Average - Length of time for the organization to mitigate identified managed systems vulnerabilities.
Percentage of systems without“high severity vulnerabilities based on Common Vulnerability Scoring System (CVSS) scoring
Application
Average - Length of time for the organization to mitigate identified Hackerone Submitted vulnerabilities.
Access Control and Identity Accessment Management (Okta)
Average Number of Account Lockouts
Percentage of users for whom privileges can be modified dynamically
Percentage of such users whose privileges are modified dynamically
Percentage of system services for which privileges can be modified randomly
Percentage of such resources for which privileges are modified randomly
Random reviews performed on privilege definitions/assignments [yes/no]
Percentage of cyber resources to which access is controlled based on criticality
Percentage of cyber resources to which access is controlled based on sensitivity
Percentage of users with privileged/administrator access
Data Management
Percentage of cyber resources which are backed up
Percentage which are backed up into hot backups
Percentage which are backed up into cold / archival storage
Time since restoration / reconstitution processes were last exercised
Average time to restore
Average time to back up
Frequency of backup
Business Continuity and Disaster Recovery
Percentage of information systems for which annual testing of contingency plans has been conducted.
Time between initiation of recovery procedures and completion of documented milestones in the recovery, contingency, or continuity of operations plan
Time between event or detected circumstances which motivated recovery procedures and achievement of [minimum acceptable, target] mission MOPs
Percentage of mission capabilities for which [minimum acceptable, target] MOPs are achieved within [minimum threshold, target] period of time since initiating event
Percentage of mission-critical cyber resources which are recovered from a backup
Size of gap between lost and recovered mission-critical resources (time service or connection was unavailable, number of records not recovered)
Percentage of mission-essential processes and interfaces restored to pre-disruption state
Length of time to reconstitute a key information asset from a backup data store
Percentage of non-mission-critical resources which are recovered from a backup
Percentage of cyber resources for which access control is maintained throughout the recovery process
Percentage of cyber resources for which access controls at multiple levels or using different mechanisms are maintained consistently throughout the recovery process
Percentage of cyber resources for which auditing or monitoring is maintained throughout the recovery process
Duration of gap in auditing or monitoring for [mission-critical resource, non-mission-critical resource] during recovery.
Change Management
Mean-time to Complete Changes
Percent of Changes with Security Review
Percentage of Changes with Security Exceptions
Number of Non-managed Changes (outside of formal process)
Percentage of cyber resources which can be reconfigured on demand
Time between decision to reconfigure resources and completion of reconfiguration
Percentage of cyber resources which can be [automatically, manually] reconfigured
Time between decision to redeploy resources and completion of redeployment
Number of differences between initial set of resources and redeployed set
Percentage of cyber resources that are properly configured