Open adammontville opened 5 years ago
Could we get some more explanation on the metrics formula as well as a description of the "damping factor"
For Controls Team: UNCC asked what "enabling" means here. Why do employees need training on "enabling" secure authentication - isn't that a function of the enterprise to enable it and then the employees are trained on how to use the secure authentication methods that the organization enables?
Inputs List of workforce members List of most recent completion date for this module of the security awareness training for each workforce member Required frequency of training (at least annually)
Operations For each workforce member in Input 1, check Input 2 to see if that workforce member's most recent completion date of this training module was within the time frame specified by Input 3 (if the workforce member is not listed in Input 2, assume the workforce member is not compliant). Generate a list of compliant workforce members (M1) and a list of non-compliant workforce members (M2).
Measures M1: List of workforce members who have completed this security awareness training module within the specified time frame (compliant list) M2: List of workforce members who have not completed this security awareness training module within the specified time frame (non-compliant list) M3: Number of workforce members in the compliant list (M1) M4: Number of workforce members in the non-compliant list (M2) M5: Total number of workforce members in Input 1
Metrics Coverage: M3 / M5
Note: A more advanced measure would involve comparing assessment scores over time to measure the effectiveness of this module. While such assessment scores could be from something as basic as a test at the end of the training module, it could also be more advanced check of the module's content as implemented in the organization over time.
I left in the time factor in the above measurement proposal, even though the wording of the sub-control does not explicitly state it. I'm considering 17.3 as the primary security awareness training program and it does have a time factor, and then 17.5 - 17.9 are specific modules within that security awareness training program, so they effectively inherit the time factor from 17.3. If we like this approach, 17.6 - 17.9 could be simple cut/paste from this one. Thoughts?
Inputs
Operations
Measures
Metrics
Train workforce members on the importance of enabling and utilizing secure authentication.
Measures
Metrics/KEI
What Aaron said. Seems not practically measurable at this point. That said, what if we took a measure like this to SANS and asked them to develop an API providing the data for a given organization?