Page 64 - CISSO_Prep_ Guide
P. 64
A Key Performance Indicator (KPI) is defined as a measure that
determines how well the process is performing in enabling the
goal to be reached. A KPI is often the absolute requirement that
must be met. For example, a company may need to ensure that
security patches must be deployed within seven days of release
and, therefore, set seven days as the KPI. Not to meet those
criteria would be unacceptable.
A Key Risk Indicator (KRI) is defined by ISACA as A subset of
risk indicators that are highly relevant and possess a high
probability of predicting or indicating substantial risk. KRIs are
essential indicators that would alert management to a potentially
developing danger. For example, if an organization has set a
threshold that requires all patches to be deployed within 7 days of
release, that would be a KPI. A KRI may be configured to 6 days
- that would alert management that the patch management process
is close to being non-compliant and exceeding the KPI.
Hopefully, the organization would then be able to take corrective
action before the procedure is non-complaint, and the time taken
to deploy patches exceeds the KPI.
Implementing the Security Program
Information security is one of the essential parts of a successful
business today. A breach of sensitive data, or unreliable systems,
can cause business interruption, loss of customers, and financial
penalties. The organization must, therefore, have a security
program - a vision, objectives and goals, personnel, tools, policies
and procedures, and education and awareness programs.
The most fundamental requirement for a security program to be
successful is senior management support. Without that support,
the security program will be unable to influence, direct, and
