Subcontrol 19.6

[adammontville]

Publish information for all workforce members, regarding reporting computer anomalies and incidents to the incident handling team. Such information should be included in routine employee awareness activities.

Measures

M_i = # of reported incident by employee i
P_i = # of published incident reported by employee i
n= # of employee

Metrics/KEI

Organization Awareness Score = ( SUM over i:1 to n (M_i / P_i) ) / n

No comment

[adammontville]

Input

• Incident response plan
• Security awareness program documentation

Operations:

• Determine whether incident response plan exists (becomes M1)
• Determine whether the security awareness documentation exists (becomes M2)
• If both exist, then review the security awareness plan (determine M3 and M4)

Measures:

• M1: An incident response plan exists
• M2: A security awareness program exists
• M3: The incident response plan requires publishing incident reporting information for all workforce members as part of the organization's security awareness program
• M4: The security awareness program publishes incident reporting information for all workforce members

Metrics:

• M1 AND M2 AND M3 AND M4