Information Security Metrics Gathering Policy

1. Purpose and scope

1.1. The purpose of this policy is to establish a framework for the collection of information security metrics which facilitate the management of information security performance at the University.

1.2. The scope of this policy includes all currently reportable and potential future metrics which provide insight into information security at the University.

1.3. The policy does not include information security metrics at the level of the individual.

2. Relationship with existing policies

2.1. This policy forms part of the Information Security Framework and should be read in conjunction with the Information Security Review Policy and all supporting policies.

3. Policy

3.1. In order to assess and manage the performance of the University in terms of information security, a comprehensive and relevant set of metrics are required.

3.2. Information security metrics should enable one or more of the following:

• communicate performance
• drive improvement
• measure the effectiveness of existing controls
• help diagnose problems
• support decision making
• provide increased accountability
• guide resource allocation
• demonstrate levels of compliance
• facilitate benchmarking with peer HEIs

3.3. The essential features of all metrics to be used in conjunction with this policy are that they should be:

• necessary to satisfy a specific business requirement
• consistently measured
• cost effective to produce
• quantifiable
• expressed using at least one unit of measure (e.g. number of network intrusion events per week)

3.4. The category of metrics which will be of most use to the organisation will evolve as the framework matures, risks to information are identified, and in response to changes in external environment. Decisions will need to be made at appropriate junctures as to whether individual metrics are:

• still useful and to be included in reporting to the Professional Services Board
• only useful at an operational level, relevant to the Information Security Oversight Group, and therefore excluded from the Professional Services Board reporting
• no longer useful and collection to be ceased

4. Key metric types

4.1. The metric types used will be a mixture of the below with the trend over time being to move from a predominance of implementation metrics to efficiency and impact metrics.

• Implementation metrics – e.g. % increase over time of encrypted University owned laptops.
• Efficiency/Effectiveness metrics – e.g. % of staff who fall victim to a corporate phishing exercise.
• Impact metrics – e.g. reduction in sensitive data disclosures due to stolen or vulnerable laptops.

5. Reporting

5.1. Metrics to be reported will be documented in the Information Security Metrics Matrix that will detail:

• the metric name
• the purpose of the metric
• a brief description of the metric
• what is being measured
• how it is being measured
• who is responsible for measurement

6. Roles and responsibilities

6.1. The Chief Operating Officer and University Secretary, in their role as the Senior Information Risk Owner, is the sponsor for this policy, and responsible for approving the need to develop or substantively amend the policy, for presenting the final draft to the approving body and for ensuring that their policy-making documents comply with, and are monitored and reviewed in line with the Cardiff University Policy for the Development of Policy-making Documents.

6.2. The Senior Information Risk Owner is responsible for ensuring that appropriate metrics are collected and analysed as part of the annual review process and used to deliver continual improvement as described in the Information Security Framework Review Policy.

6.3. The Information Security Oversight Group is responsible for maintaining, updating and ensuring the appropriateness of the metrics within the Information Security Metrics Matrix, supplying the Matrix and measurements on request.