Page 62 - CISSO_Prep_ Guide
P. 62
Specific metrics are metrics that review a clearly defined process
with defined objectives and thresholds for performance. An
example of a particular parameter would be network availability.
The business can set a performance objective of 99% availability.
This is a specific, measurable value that would indicate either
acceptable or unacceptable performance.
Measurable metrics are those that can be quantitative, objective,
and detailed. Such parameters are numerically based
(quantitative), not subjective, repeatable, and accurate.
Attainable - the metrics should be realistic and achievable - the
parameters should not attempt to reach a standard that is simply
impossible to achieve. If the business cannot reach the required
level of performance, employees may stop trying since success is
not possible. For example, an objective of 100% uptime would
discourage the staff instead of inspiring.
Relevant - There is little value in measuring things that merely
make management shrug their shoulders and wonder why we
measure such things. The choice of what to monitor should be
taken in consultation with management to ensure that the metrics
are aligned with business priorities and management's interests.
Timely - is ensuring that the metrics are useful. If a metric reports
on an event that has already long passed and where there is no
opportunity to learn from the 1report, then the metric is of little
use to the organization.
SMART metrics are only one of the ways that parameters are
defined. There are many others, but the most important thing to
remember is that parameters should only be used to measure
issues that are relevant to the organization. These essential bits of
data provide meaningful data that can alert management to the
health and effectiveness of the information security management
