Content of Figures
1 Executive Summary
The report provides selected Key Risk Indicators (KRI) for the area of Cyber security. These indicators are easy to measure and provide organizations ...Login Get full Access
- The report provides selected Key Risk Indicators (KRI) for the area of cyber security. These indicators are easy to measure and provide organization ...
3 Why work with KRIs and KPIs?
To manage IT services effectively requires a set of measures against which performance can be judged. KRIs and KPIs provide such measures of risk and ...Login Get full Access
3.1 The value of KRIs and KPIs
There are several obvious ways in which of the use of KRI/KPI offers value. From KuppingerCole’s perspective, the four most important ones are:
- Reduced impact from risks: risks can be measured in two dimensions, likelihood and impact. It is often very difficult to be sure of the likelihood, but you can usually measure the impact. Controlling or mitigating impact is a key approach to risk management.
- Management by risk: Consequently, management can focus on identified risks. It is much more efficient to focus on the things with the worst impact instead of trying to cover every aspect, without knowing whether it is relevant or not. Management by risk is sort of “management by exception”, e.g. focusing on the situations where the risk metrics indicate that actions should be taken.
- Control actions for risks: Risk management involves the definition of control actions to be implemented where risk is unacceptable. These controls enable organizations to respond to risks in a defined and structured way. KPIs allow the effectiveness of these controls to be measured.
- Proven success in operations and projects: A benefit of both KRIs as well as simple KPIs is that success can be proven. When the current value of a metric is compared with a baseline, you can see how things have improved or worsened. A continuous approach using metrics, allows this kind of comparison.
In short. the benefits of using KPIs for managing by risk are reduced impact, clearly defined control measure and proven success.
4 The Top KRIs/KPIs for Cyber Security
To enable organizations to quickly start using a Risk based approach to cyber security this report identifies the top KRIs/KPIs for the areas identifi ...Login Get full Access
4.1 Hybrid Cyber Security Architecture
Organizations typically exploit multiple ways in which to deliver their IT services including the use of services from different cloud vendors. At th ...
The complexities introduced by the hybrid delivery model are illustrated in Figure 1. There are multiple technology layers and the responsibility for ...Login Get full Access
4.2 Identify (ID)
You can’t protect what you don’t know you have. The first step towards cyber security is to classify the assets and data held by the organization ...Login Get full Access
4.2.1 Asset Management (ID.AM)
NIST Category: “The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and ...Login Get full Access
4.2.2 Classification of Assets (ID.AM-5)
We strongly recommend creating a risk classification of these assets. The risk classification might be derived from the following properties of applic ...Login Get full Access
4.2.3 Governance of Cyber Security (ID.GV)
NIST Category: “The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and oper ...Login Get full Access
4.2.4 Cyber Security Management Framework (ID.GV)
Organizations should adopt a cyber security framework. This is essential to ensure that cyber security standards and best practices are consistently ...Login Get full Access
4.2.5 Cyber Security Architecture (ID.GV)
A complete and comprehensive cyber security architecture based on recognized standards (e.g. NIST 800-37) is necessary to ensure that security process ...Login Get full Access
4.2.6 Risk Assessment (ID.RA)
NIST Category: “The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputatio ...Login Get full Access
4.2.7 Vulnerability Management (ID.RA-1)
Cyber threats exploit vulnerabilities and overcome weak controls to cause cyber incidents where systems or data are damaged, or data is stolen. The m ...Login Get full Access
4.2.8 Supply Chain Risk Management (ID.SC)
NIST Category: “The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions a ...Login Get full Access
4.2.9 Service Certification (ID.SC-4)
It is usually impractical for cloud service providers to allow each customer to perform their own audit of their service. The use of standards and re ...Login Get full Access
4.3.1 Identity Management, Authentication and Access Control (PR.AC)
NIST Category: “Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is mana ...Login Get full Access
4.3.2 Identity Lifecyle Management (PR.AC-1)
This covers KPIs for all the processes concerned with managing the complete lifecycle of the electronic identities individuals with access to systems, ...Login Get full Access
4.3.3 Employee Screening (PR.AC-1)
It is essential that employees and other entities that have access to organizational systems, applications and data are checked out. Potential employ ...Login Get full Access
4.3.4 Entitlement Management (PR.AC-4)
Access to information, applications, and systems should be controlled based on business requirements. Access rights should be assigned in a timely ma ...Login Get full Access
4.3.5 Privileged Account Management (PR.AC-4)
Managing privileged user access is a vital element of cyber security. The assignment of access privileges should be strictly controlled, and the use ...Login Get full Access
4.3.6 Orphan accounts (PR.AC-1)
These are user accounts in systems which are not associated with a specific known person or entity. They represent an important risk because they cou ...Login Get full Access
4.3.7 Deployment of strong authentication (PR.AC-7)
The explosion in the ways that people can connect to the systems using mobile devices and the internet has increased the risks of impersonation and ch ...Login Get full Access
4.3.8 Network Access Control (PR.AC-4) / (PR.AC-5)
Organizational systems depend upon network communication both within the organization as well as with suppliers, partners and customers. These commun ...Login Get full Access
4.3.9 Access to Cloud Services (PR.AC-4)
Users and lines of business often use personal or at least unsanctioned cloud services in order to “get the job done”. This has the potential to ...Login Get full Access
4.3.10 Awareness and Training (PR.AT)
The users of systems are the first line of defense against cyber-attacks. It is essential that they are trained and supported.
NIST Category: “T ...Login Get full Access
4.3.11 Data Security (PR.DS):
In the hybrid IT service delivery model, the organization using the service is always ultimately responsible for their data wherever it is held and ho ...Login Get full Access
4.3.12 Use of Data Leak Prevention Technology (PR.DS-5)
Often organizations are not aware of the amount and location of sensitive data that they hold. Employees can create unstructured files such as Word d ...Login Get full Access
4.3.13 Cloud Access Security Broker (PR.DS-5)
Cloud Access Security Brokers add another layer of protection to organizational data by identifying and controlling the cloud services used by employe ...Login Get full Access
4.3.14 Encryption of Data at Rest (PR.DS-1)
Stored data is a target for cyber adversaries and encrypting data provides security against some of the risks. It is very helpful to protect data hel ...Login Get full Access
4.3.15 Encryption of Data in Transit (PR.DS-2)
Data flowing through communications networks are susceptible to interception. Encrypting the data is the most effective way to protect data in transi ...Login Get full Access
4.3.16 Information Protection Processes and Procedures (PR.IP):
NIST Category: “Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organization ...Login Get full Access
4.3.17 Change Management (PR.IP)
|Related ISO/IEC 27001 Control||A12.1.2 Operations Change Management|
A.12.5.2 Control of operational software
A.14.2.2 Systems Acquisition / Dev ...
4.3.18 Data Backup and Media Handling (PR.DS-3)
There are numerous examples of cyber-attacks leading to data breaches due to poor handling of exchangeable media containing sensitive data. It is imp ...Login Get full Access
4.3.19 Anti-Malware Protection (PR.PT)
Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, an ...Login Get full Access
4.4 Detect (DE)
Cyber security depends upon being able to detect anomalies and monitor performance against specified controls. This monitoring requires trustworthy l ...Login Get full Access
4.4.1 Central Logging and Anomaly Detection (DE.AE)
NIST Category: “Anomalous activity is detected, and the potential impact of events is understood.”
|Related ISO/IEC 27001 Control||A.12.4 Log ...|
4.4.2 Security Operations Centre (DE.CM) / (DE.DP)
Organizations need a central point for collecting, analysing and assessing security threats and events. This is commonly known as a Security Operatio ...Login Get full Access
4.5 Response (RS)
It is not enough to know that your organization is under a cyber-attack it is essential to be able to respond.
It is no longer a case of if an organ ...Login Get full Access
4.5.1 Tested Incident Response Planning (RS.RP)
NIST Category: “Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.”
4.6 Recovery (RC)
It is essential that the organization has a prepared and tested recovery plan that covers all elements needed to deliver the business-critical service ...Login Get full Access
4.6.1 Tested Incident Recovery Plan (RC.RP)
NIST Category: “Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity ...Login Get full Access
4.6.2 Operational Resilience (RC.RP)
The organizational systems and applications should be designed, implemented, configured and deployed to achieve the required levels of availability in ...Login Get full Access
4.7 ISO/IEC 27001 Controls Mapped to KPIs
ISO/IEC 27001 is a widely accepted standard for information security. The KPIs specified in this report help to demonstrate progress towards implemen ...Login Get full Access
4.8 Hybrid IT Security Elements Mapped NIST Subcategories and to KPIs
The NIST Cybersecurity Framework is being widely adopted and the KPIs described in this report help to demonstrate progress toward implementing this.... Login Get full Access
To realize the benefits described in the previous chapters it is recommended that IT organizations move to using KRIs and KPIs for cyber security. To ...Login Get full Access
5.1 Organizational aspects
There are currently several standardized frameworks for cyber security available, these include ISO/IEC 27001 and the NIST Cybersecurity Framework. T ...Login Get full Access
5.2 Risk based cyber security processes
The initial phase of implementing a risk-based approach to cyber security should adopt lean processes.
- Collection: How can the information be coll ...
5.3 The choice of KRIs and KPIs
There are three golden rules for choosing the appropriate KRIs/KPIs:
- Choose valid indicators: Indicators should be capable of directly relating to ...
5.4 Base KPIs and KRIs on business goals
The KPIs and KRIs must be based on business goals.
For example, if a strategic goal of an organization is for digital transformation, then it needs ...
In terms of cyber security, considering the NIST Cybersecurity Framework particularly, this means that:
- The organization must be able to identify ...
5.5 Scorecard Approach
KuppingerCole strongly recommends building a scorecard for the KRIs. That scorecard could be divided into the following segments:
The scorecard could then include four pieces of information per KRI:
- Current value
- Change (either absolute or relative)
- Direction of change
- I ...
- PLA, vol. 1, "Electrical Units of Measurement", 1883-05-03
- R.S. Kaplan and D.P. Norton, "The Balanced Scorecard: Measures that Drive Performance," Harvard Business Review (January-February 1992): 71-79.
- Architecture Blueprint: Hybrid Cloud Security - 72552
- Advisory Note: KRIs and KPI for Access Governance - 72559