Page 63 - CISSO_Prep_ Guide
P. 63
program. Goals must be aligned with legal and regulatory
requirements, be accurate and repeatable, be objective, not
subjective (subject to the preferences or personal interpretation of
the auditor), and monitored. It is far too common to find that
organizations have mechanisms in place to monitor their
networks, applications, and other assets. However, after
additional analysis, we see that no one is tasked with reviewing
the controls and ensuring that regular reports are provided to
management.
Another issue, of course, is where alerts and reports do indicate a
problem; no one takes measures to correct the problem.
Indicators
Indicators are an essential part of metrics. A metric has no
relevance unless it is related to a specific objective. These
objectives may be based on many things, such as a benchmark.
For example, par in a golf game is a benchmark that permits a
person to know how well they are performing compared to a
commonly accepted level of performance. Many organizations
use parameters based on what other organizations in their industry
sector or country/region are doing. Other indicators are based on
regulations or on industry-specific standards such as the payment
card industry (PCI).
ISACA defines a Key Goal Indicator (KGI) as a measure that tells
management, after the fact, whether an IT process has achieved
its business requirements. This is usually expressed in terms of
information criteria. A key goal indicator can be used to
demonstrate compliance or the success of a project such as a KGI
that notifies management that a defined standard was met. For
example, a business continuity test completed successfully.
