Académique Documents
Professionnel Documents
Culture Documents
ISACA
March 2006
Agenda
• Information Collection
• Examples
• Summary
• People
– Training & Certifications
– Competence Turnover
• Technology
– Currency
– Cost management
– Compliance / licensing
• Investment
– Trends per area
• Productivity
– Missed Deadlines
Objective What are the objectives of the KPI – what is it measuring? Why is it
important?
Stakeholder Who is this KPI relevant to?
Tools Any potential tools used to support the measurement and reporting
process?
Frequency ___ Day ___ Week ___ Month
___ Quarter ___ Year ___ Year+
Comments Any additional information or comments? Is this a requirement from
legislation or regulations?
Frequency ___ Day _X_ Week _X_ Month _X_ Quarter _X_ Year ___ Year+
Frequency ___ Day _X_ Week _X_ Month _X_ Quarter _X_ Year ___ Year+
Incident Tracking
(Ticketing System)
Geographical Dashboard
View
Reports
The dashboard aims to transform data from operations to actionable information for
decision makers
Key Control What are the key control objectives and controls that should be in place for the
Objectives and organization? The controls should be based on international reference
Controls standards
Measurements What are the measurements that may be available to report on this area?
KPI(s) What Key Performance Indicators(s) should be defined for this objective?
Measurement - 1
KPI - 1 Number of inappropriate
use cases opened and
Number of verified verified
instances of inappropriate
use over a set time
period. (weekly or by
reporting period)
KPI - 3
Number of verified
inappropriate use events
compared with the number
of IT security awareness
training days per person Measurement -3
compared over time Number of IT security
awareness training days
Presentation Name (View / Header and Footer) © Deloitte & Touche LLP and affiliated entities.
An example KPX for Inappropriate Use
KPX
Measurement - 1
Number of incidents of intrusions
detected and reported
KPI - 1
Average amount of Loss
(productivity time) per intrusion Measurement - 3
within a set time period (weekly Amount of downtime or productivity
or per reporting period). loss caused by intrusion incidents.
1 2
Number of Resolved Major and Number of Major and Catastrophic
Catastrophic Incidents Over Time
Incidents Over Time
>4<10 hrs/month/
# of system productivity
loss
Resolved
>10hrs/month/ system
Major and productivity loss
Catastrophic Major Incidents
Incidents
Catastrophic
Incidents
Number of Resolved
Major and
Average Time to Resolve Major and Catastrophic Incidents
Catastrophic Incidents
Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and
financial advisory services through more than 6,100 people in 47 offices. Deloitte operates in Québec
as Samson Bélair/Deloitte & Touche s.e.n.c.r.l. The firm is dedicated to helping its clients and its
people excel. Deloitte is the Canadian member firm of Deloitte Touche Tohmatsu.
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and
their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche
Tohmatsu nor any of its member firms has any liability for each other's acts or omissions. Each of the
member firms is a separate and independent legal entity operating under the names "Deloitte,"
"Deloitte & Touche," "Deloitte Touche Tohmatsu," or other related names. Services are provided by Member of
the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein. Deloitte Touche Tohmatsu