Report on the percentage of staff who are assigned and who have acknowledged responsibilities for approved policies, standards, and procedures.

UCF ID: 01680
Control Type: Actionable Reports or measurements
Status: Live
Metric guidance

Calculation: The calculation for this metric is # of staff who are assigned and acknowledge responsibilities for approved policies, standards, and procedures / # of staff who have responsibilities for policies, standards, and procedures.

Calculation source: No authority document source of information exists. The following formula was used: the number of staff members who have been officially assigned by management and who acknowledge their responsibilities for approved policies, standards, and procedures divided by the number of staff members of each business unit or the organization as the whole) with policies, standards, and procedures responsibilities.

The Common Control IDs associated with this metric are as follows:

    Establish and maintain policies and procedures for contracted staff. [UCF Control ID 00778]
    Require employees to acknowledge, in writing, that they have read and understand the organization's security policies. [UCF Control ID 01363]
    Establish and maintain operational roles and responsibilities. [UCF Control ID 00806]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE8.2; Performance Measurement Guide for Information Security, NIST 800-55, Revision 1, App A Measure 14; Guide for Developing Performance Metrics for Information Security, NIST SP 800-80, Table 16; IIA Global Technology Audit Guide (GTAG): Information Technology Controls, § 18.2

US Federal Security Guidance

The organization must measure and report on the percentage of staff assigned responsibilities for information security policies and controls who have acknowledged accountability for their responsibilities in connection with those policies and controls. [ISPE8.2, CISWG Information Security Program Elements, January 10,2005]

NIST Guidance

The calculation for this metric should be stated as the # of users granted system access after signing the rules of behavior for the system / total # of users on the system. Use the number of users of each business unit (or the organization as the whole) as the base number divided by the number of users who were granted access to the system after they signed the rules of behavior. [App A Measure 14, Performance Measurement Guide for Information Security, NIST 800-55, Revision 1]

This metric must be calculated using # of staff who are assigned and acknowledge responsibilities for approved policies, standards, and procedures / # of staff who have responsibilities for policies, standards, and procedures [Table 16, Guide for Developing Performance Metrics for Information Security, NIST SP 800-80]

General Guidance

The purpose of this measurement is to measure the percentage of staff assigned responsibilities for information security policies and controls who have acknowledged accountability for their responsibilities in connection with those policies and controls. [§ 18.2, IIA Global Technology Audit Guide (GTAG): Information Technology Controls]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.