Some metrics require a policy defined input value (such as the period between measures or the target RPO)

ComplianceCow / CAML

Continuous Audit Metrics Catalog

Other

4 stars 6 forks source link

Some metrics require a policy defined input value (such as the period between measures or the target RPO) #30

Open pritikin opened 2 years ago

pritikin commented 2 years ago

For example see BCR-06-M1 where the minimum period is 1yr but guidance is to use local policy.

There seems to be two options:

details are in the implementation script and not the metric yaml. this simplifies the yaml which is currently a form of "script" with the A/B definitions.
like how 'A' or 'B' references a measure we'd need a way to reference a policy variable.

for discussion: are we aiming to define the script or describe the script... ?

mosi-k-platt commented 2 years ago

Great idea @pritikin. For this particular metric, I made a mistake. The metrics catalog includes a recommended frequency of 1 week. I missed that because that column is not included in the MVP Summary tab of the Google sheet, which I was working from when I entered this metric in the yaml file. Lesson learned. I'll use the MetricCatalog tab as my source of truth moving forward.