Domain 6 of 8 · Chapter 3 of 5

Security Process Data

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • Why collect process data: measurement for oversight
  • KPIs vs KRIs: leading and lagging indicators
  • The data sources: accounts, backups, training, DR/BC
  • Management review and continuous monitoring

KPI vs KRI vs activity measure

AspectKPIKRIActivity/implementation measure
Question it answersIs the control meeting its objective?Is our exposure rising toward a loss?Was the work done?
Time orientationMostly lagging (what happened)Leading (what is coming)Point-in-time effort
Tied to a thresholdTarget/SLA to compare againstEscalation threshold that trips an alertUsually just a count
ExampleMean time to detect; % access reviews on timeClimbing unpatched-critical count; dormant accounts# scans run; % training completed
What it provesControl performanceForecast risk before impactActivity, NOT effectiveness

Decision tree

Does the number prove anoutcome changed?No, just effortYesActivity / implementationtraining completed, scans run;NOT effectivenessForecast rising exposure,or report past performance?ForecastPastKRI (leading)unpatched-critical count rising;tied to escalation thresholdKPI (lagging)mean time to detect; % accessreviews on time; vs a targetClaiming recoverability?backup or DR/BC evidenceRequire a tested restore / DR exercise result vs RTO/RPO, not a successful backup job or a written plan

Cheat sheet

  • Security process data is evidence for oversight, not the act of running a control
  • A metric is a measure compared to a target; raw operational data alone decides nothing
  • Good indicators are SMART so the same data yields the same number
  • KPIs measure control performance and are usually lagging
  • KRIs forecast rising risk and are leading indicators tied to an escalation threshold
  • Leading vs lagging is the KPI/KRI discriminator the exam turns on
  • Activity measures count effort; effectiveness measures prove the outcome changed
  • Awareness effectiveness is measured by behavior change, not attendance
  • Account-management data demonstrates least privilege is maintained over time
  • Backup verification means a tested restore, not a successful backup job
  • DR/BC test fidelity rises from checklist to tabletop to parallel to full-interruption
  • DR/BC test data is measured against the BIA's RTO and RPO targets
  • Management review and approval records are themselves collected oversight data
  • Continuous monitoring (ISCM) shortens the gap between knowing and acting
  • Metrics roll up from operational to program to board level
  • Privilege creep is accumulated access from role changes left un-revoked

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. NIST SP 800-55 Vol. 1, Measurement Guide for Information Security: Identifying and Selecting Measures Whitepaper
  2. NIST SP 800-53 Rev. 5, Security and Privacy Controls (AC-2 Account Management) Whitepaper
  3. NIST SP 800-50 Rev. 1, Building a Cybersecurity and Privacy Learning Program Whitepaper
  4. NIST SP 800-137, Information Security Continuous Monitoring (ISCM) Whitepaper