Measure, Share, Compare.

ClearPoint is secure Cloud-based IT security and compliance control monitoring

In response to the passage of international, federal, and state regulations, organizations have adopted a more comprehensive, process-driven approach to formulate and execute their IT security strategy. Executives are now required to:

Establish, document, and communicate security program objectives, policies, and internal controls
Regularly evaluate effectiveness of internal controls
Identify deficiencies with internal controls and provide appropriate corrective action plans
Demonstrate compliance to standards, best practices, policies, and regulations
Regularly report internal control evaluation through the organization and to the governing body
Affirm internal control efficacy by a third-party auditor

A Security Metrics Program is the cornerstone of an effective governance strategy. Metrics affirm the existence, effectiveness, and efficiency of security controls. Scorecards provide the ability to communicate internal control performance to all stakeholders as well as offering the insights needed for instituting corrective action plans. Used together, metrics and scorecards facilitate your governance program by creating a forum for continous control monitoring that will redcue compliance audit cost while improving perforrmance of your internal controls.

Use Metrics to Demonstrate Compliance

Governance often stipulates that the organization must demonstrate the existence of internal controls to ensure the confidentiality, integrity, and availability of critical systems and information. But these rules and regulations do not explicitly identify how to demonstrate the presence of internal controls. Since you cannot measure an entity that does not exist, metrics represent an effective way to prove that your organization has internal controls in place. By implementing a Security Metrics Program, your organization can demonstrate hard facts and data that establish not only the existence but also the performance of internal controls.

Use Metrics to Evaluate Efficacy of Internal Controls

Internal controls are the compilation of security processes defined by security policies or goals. The intent of internal controls is to provide well-defined procedures to ensure the effectiveness and efficiency of IT security operations. This allows continuous improvement to assure the confidentiality, integrity, and availability of business-critical systems, assets, and information.

The definition of "effectiveness" is context specific and is based upon a frame of reference. This frame of reference can be a benchmark, organizational goal, industry standard, or derived from past performance. Metrics provide organizations the means to evaluate the effectiveness of their internal controls by measuring performance and analyzing key performance indicators against this frame of reference. Based upon the analysis provided by metrics, executives can more accurately evaluate the effectiveness of their internal controls and identify deficiencies in internal controls. Using multiple metrics in conjunction, executives can analyze and project the impact that changes and improvements to internal controls would have on the organization's security posture.

The table below demonstrates how ClearPoint meets each of the above requirements:

Governance Requirements	ClearPoint Solution
Demonstrate establishment of internal controls	For a metric to exist there needs to be an entity for it to measure. The implementation of a metric indicates that there is an internal control in place.
Regularly evaluate effectiveness of internal controls	Metrics provide key indicators of performance against goals established for effectiveness and efficiency.
Identify deficiencies in internal controls and provide appropriate corrective action plan	Viewing metric results in a scorecard allows the organization to identify shortfalls and to understand the relationship between actions taken and results observed. This is precisely the insight needed to identify the adjustments needed to drive improvement.
Third-party auditor to affirm internal control efficacy	Metrics are atomic and transparent allowing third-party auditors to evaluate internal controls independently.
Report evaluation of internal control efficacy and corrective actions	Scorecards provide the medium through which the state of internal controls is expressed. Annotation allows security managers to note plans to address deficiencies.

Browse Our Metric Catalog

> Need help starting a security performance
assessment program? GO.

Learn & Evaluate

> Learn how to License ClearPoint On-Demand GO.

> Evaluate ClearPoint's Security Metrics as-a-ServiceGO.

> Evaluate ClearPoint's PCI Compliance as-a-ServiceGO.

> Download a free pdf "ClearPoint is..."GO.

I want ClearPoint Metrics
to help me with...

Executive	Management	Operational
> Getting started with a metrics program > Creating an IT & Information Security Performance Management System > Using metrics & scorecards to support an IT GRC program > Getting started with a metrics program > Deciding what to measure across my initiatives > Using metrics & scorecards to show evidence of compliance > Automating the collection of IT and security data > Getting started with a metrics program > Automating data collection across IT and Security Products

Community content licensed under Creative Commons • License Options • Privacy Policy • Terms of Use • Contact Us

8 New England Executive Park, 3 rd Floor | Suite 390, Burlington MA 01803 | Main Number 617-456-1900
ClearPoint is the IT security measurement Company for Governance, Compliance and Risk
Copyright © 2005-2010 ClearPoint Metrics. Inc. All rights reserved
Powered By: DreamingCode