Metrics aid management in its ability to assess the overall IT environment. The specific metrics reported, and the frequency with which they are reported, depend on the institution's IT environment. The following are common examples:
- Number of risk issues identified for IT activities (updated regularly to reflect new or mitigated issues). This may include information gathered through the threat intelligence and collaboration process.
- Number of risk acceptance issues approved by senior management. This information may be maintained in a database or other repository of the descriptions, mitigation options, and documentation of management acceptance.
- Number of current and historical events or issues (external and internal events that deviate from the control standards).
- Number of current or outstanding (i.e., unresolved) issues identified by the business unit, internal audit, external audit, or regulator.
Many tools can be used to provide management with metrics to facilitate risk monitoring, such as key risk indicators A key risk indicator is a measure used to indicate the level of risk associated with an activity. and key control indicators. A key control indicator is a metric that indicates the potential for a control to fail within an organization. These are indicators that correlate with changes in risk and control effectiveness. When developed and monitored correctly, metrics can direct management's attention to areas of potential problems. Refer to the "Metrics" section of the IT Handbook's "Information Security" booklet for more information. As appropriate, certain metrics or summary reports of metrics should be provided to the board.
III.D Monitoring and Reporting
III.D.2 Performance Benchmarks