Subcontrol 17.4

[adammontville]

Ensure that the organization's security awareness program is updated frequently (at least annually) to address new technologies, threats, standards and business requirements.

Measures

w_i = weights of each category to be introduced
I_i = # of items introduced from category i
p_j = # of items collected or proposed of category j
M1 = Current time
M2 = last update time
M3 = Max allowed time without update

Metrics/KEI

AP Quality = ( (sum from i:1 to 4 ((l_i / p_i) * w_i)) ) / (sum from i:1 to 4(w_i))
Freshness of Awareness program = (M1 - M2) / M3

How is this technically measurable at all?

[apiperCIS]

Inputs 1) Date the organization's security awareness program was last updated 2) Maximum time allowed between updates to the organization's security awareness program

Operations 1) Verify that the maximum time allowed between updates to the security awareness program (Input 2) is one year or less and set M1 accordingly. 2) Check the date that the security awareness program was last updated (Input 1) to make sure that it occurred within the required time frame (Input 2) and set M2 accordingly.

Measures M1: boolean value; 1 if maximum time allowed between security awareness program updates is one year or less, 0 if greater than one year M2: boolean value; 1 if the last update to the security awareness program was within the required time frame, 0 otherwise

Metrics Security awareness program was last updated within acceptable time frame: M1 and M2