Publish information for all workforce members, regarding reporting computer anomalies and incidents to the incident handling team. Such information should be included in routine employee awareness activities.
Measures
M_i = # of reported incident by employee i
P_i = # of published incident reported by employee i
n= # of employee
Metrics/KEI
Organization Awareness Score = ( SUM over i:1 to n (M_i / P_i) ) / n
Determine whether incident response plan exists (becomes M1)
Determine whether the security awareness documentation exists (becomes M2)
If both exist, then review the security awareness plan (determine M3 and M4)
Measures:
M1: An incident response plan exists
M2: A security awareness program exists
M3: The incident response plan requires publishing incident reporting information for all workforce members as part of the organization's security awareness program
M4: The security awareness program publishes incident reporting information for all workforce members
Publish information for all workforce members, regarding reporting computer anomalies and incidents to the incident handling team. Such information should be included in routine employee awareness activities.
Measures
Metrics/KEI
No comment