176 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
budget and schedule to priorities is the gap closure plan. An eective gap closure
plan is an intelligent allocation of resources to establish an enterprise security pos-
ture that balances empowerment to fulll the mission with risk mitigation to ensure
legislative compliance, employee safety, and optimize stakeholder interests.
e gap closure plan will include what to purchase, implement, test, deploy, and
operate for users to perform tasks that achieve the enterprise mission and fulll the
enterprise vision. Existence metrics compare the as-is posture to the to-be posture.
Existence metrics may track how many safeguards are in the budget, how many are
ordered, and how many are received, tested, deployed, and in current operations.
Effectiveness Metrics
e fact that the enterprise has a safeguard and it was deployed into the eld does
not necessarily imply that the safeguard is producing expected results. e safe-
guard may be inoperable, or it may not be providing what the end user or opera-
tions manager expected it to provide. Moreover, the safeguard of last year may have
been very eective, but a new threat has rendered the safeguard ineective. With
respect to technology and process, eectiveness metrics track the operational state
of the safeguard, and whether the safeguard is producing the expected results.
For example, with respect to security training, awareness, and education, eec-
tiveness metrics may track the dissemination, awareness, understanding, and use
of security policy, standards, procedures, services, and mechanisms. Dis sem i na tion
metrics may track how many e-mails went out notifying employees of a new policy
or safeguard. Awareness metrics may track how many employees opened up the
e-mail, with the assumption that if they opened it they are now aware. Follow-up
tests, quizzes, or surveys will measure employee understanding of the material. Audit
logs and transaction logs will provide measures of actual use.
Efficiency Metrics
A safeguard should produce a desired result, and it should do so within acceptable
operating parameters. Service level agreements (SLAs) reect these acceptable oper-
ating parameters and may include bandwidth utilization, response time, quality of
communications, error reporting, notice of performance degradation, and notice
of hard failure.
Process
In a given environment, people perform processes using technology to produce results.
Security operations processes subject to compliance or in support of compliance
management include the following: