Template for an Information Security Measure Measure Identification Measure Name Numerical Identifier Control Objective Control 1 Control

2 Purpose of Measure Reviewer Objects of Measurement and Attributes Object of Measurement Attributes Base Measure Specification (for each base measure [2.n]) Base Measures

Measurement Methods Scale Derived Measure Specification Derived Measure Measurement Function Scale Indicator Speicifcation Indicator Description and Sample

Analytical Model Decision Criteria Indicator Interpretation Effects / Impact Causes of deviation

Positive Values

Reporting Formats Data Collection Procedure (Complete this section for each base measure) Frequency of Data Information Owner Information Collector Tools Used in Data Collection Repository for Collected Data Collection Date Data-record Procedure Measure valid upto Period of Analysis Data Analysis Procedure (for each Indicator) Frequency of Data Reporting Information Communicator Source of Data for Analysis Tools used in Analysis Information Client Additional Information Additional Analysis Guidance Implementation Considerations

Template for an Information Security Measure

ion

Measure Name Unique organization-specific numerical identifier Control Objective under measurement Optional: control under measurement Optional: further controls within the grouping included in the same measure, if applicable Describes the reasons for introducing the measure Person or organizational unit that reviews and validates that the measure evaluation criteria are appropriate for verifying the effectiveness of controls and ISMS processes ment and Attributes The object (entity) that is to be measured and is characterized through the measurability of its attributes. Objects may include processes, systems, or system components Property or characteristic of an object of measurement that can be distinguished quantitatively or qualitatively by human or automated means

ification (for each base measure [2.n]) A base measure is defined in terms of an attribute and the specified measurement method for quantifying it (e.g., number of trained personnel, number of sites, cumulative cost to date). As data is collected, a value is assigned to a base measure Logical sequence of operations used in quantifying an attribute with respect to a specified scale Ordered set of values or categories to which the base measure's attribute is mapped pecification A measure that is derived as a function of two or more base measures Logical sequence of operations used to calculate the derived measure. For derived measures, the measurement function by which the derived measures are aggregated based on corresponding base measures and resulting cumulative precision The ordered set of values or categories that are used in the dereived measure ion A display of one or more measures (base and derived) that provides an estimate or evaluation of spefied attributes derived from an analytical model with respect to defined information needs. An indicator is often displayed as a graph or chart. Include a sketch of the indicator Algorithm or calculation combining one or more base and/or derived measures with associated decision critiria Threshold, target, or pattern used to determine the need for action or further investgation, or to descripbe the level of contifency in a given result A description of how the sample indicator (see sample figure in indicator description) should be interpreted. Definition of the effects and impact derived as a consequence of the results obtained by the measure Definition of possible causes of deviations in the results obtained

Statement explaining whether increasing values indicate positive values (good result) or whether decreasing values are to the taken to indicate positive processes, Reporting formats should be identified and documented. Describe the observations that the organization or owner of the information may want on record. Report formats will visually depict the measures and provide a verbal explanation of the indicators. Reporting formats should be customized to the information customer. cedure (Complete this section for each base measure) How often data is collected Person or organizational unit that owns the information about objects of measurement and attributes used to create base measures and is responsible for the measurement The person or organizational unit responsible for collecting, recording and storing the data List any tools used to collect the data List any tools where data is stored after it is collected Date the data should be obtained. Defines the data record procedures Date of revision (expiry or renovation of measure validity) Defines the period being measured dure (for each Indicator) How often data is reported (this may be less frequent than it is collected. The person or organizational unit responsible for analyzing data and reporting the results, List any sources of data for this analysis List any tools used for analysis (e.g., statistical mode) Person or organizational unit requesteing and requiring the measures in support of their business functions Provide any additional guidance on varitioins of this measure. List any process or implemention requirements that are necessary for successful impementation

ion

Physical Entry Control

Measure Identification Measure Name Numerical Identifier Control or Control Objective Purpose of Measure Reviewer Objects of Measurement and Attributes Object of Measurement Attributes Base Measure Specification (for each base measure [2.n]) Base Measures

Measurement Methods

Scale

Indicator Speicifcation Indicator Description and Sample Analytical Model Decision Criteria Indicator Interpretation

Effects / Impact Causes of deviation Positive Values Reporting Formats Data Collection Procedure (Complete this section for each base measure) Frequency of Data

Information Owner Information Collector Tools Used in Data Collection Repository for Collected Data Collection Date Data-record Procedure Measure valid upto Period of Analysis Data Analysis Procedure (for each Indicator) Frequency of Data Reporting Information Communicator Source of Data for Analysis Tools used in Analysis Information Client Additional Information Additional Analysis Guidance

Implementation Considerations

Physical Entry Control

ion

Physical Entry Controls with Access Cards Organization Specific Control A.9.1.2 [27001:2005]. Physical entry controls. Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. To show the existence, extent and quality of the system used for access control Internal auditor / external auditor ment and Attributes Secure areas Identity Management Controls ification (for each base measure [2.n]) Physical Entry Controls with Access Cards Relative measurement method where each subset grade is a part of the grade above. Control the type of entry control system and inspect the following aspects: 1. Access control card system existence; 2. PIN code usage; 3. Log functionality; 4. Bio-metric authentication Ordinal: 0 - 5 0 There is no access control system 1 There is an access system where PIN Code (one factor system) is used for entry control 2 There is an access control card system where pass card (one factor system) is used for entry control 3 There is an access card system where pass card and PIN code is used for entry control 4 Previous + log functionality activated 5 Previous + PIN Code is replaced by biometric authentication (fingerprint, voice recognition, retina scanner etc.,)

ion

Progress Bars. Red until 0.8, Green between 0.8 and 1 Measures analysis Value 3 = Satisfactory Below 3 - Unsatisfactory, where (3 - actual grade = security gap), action efforts to be taken based on extent of security gap. Above 3 satisfactory with excellence, where grade may indicate over investment regarding issue measured. Increased risk of confidentiality breaches that may lead to theft and / or physical damage disturbing the operation. Lack of security awareness. Technical implementation defiencies Increasing values indicates better performance, However values above three may indicate an over investment Graphics cedure (Complete this section for each base measure) Yearly

Facility Manager Internal auditor / external auditor As indicated in the data-record procedure Database indicated in the data-record procedure dd-mmm-yyyy Organization Specific 12 Months 12 Months dure (for each Indicator) Yearly Internal Audit and Secutiry Management Collectede data repository Organization Specific Management Committee ion None Measure should be combined with interviews of co-workers regarding instructions to handle the access control systems. Note for the reader of this document: This example does not consider authentication for receiving a card or code nor how the facilities are designed for entering