Report on the percentage of information security risks related to systems architecture identified in the most recent risk assessment that have been adequately mitigated

Status: Live

The organization will report on the percentage of information security risks related to systems architecture identified in the most recent risk assessment that have been adequately mitigated. [UCF ID 02060]

Metric guidance

Calculation: The calculation for this metric is # of information security risks related to systems architecture identified in the most recent risk assessment that have been adequately mitigated / # of systems architecture information security risks.

Calculation source: No authority document source of information exists. The following formula was used: the number of system architecture risks that have been fixed enough to mitigate the identified risk divided by the number of security risks related to the systems architecture identified in the most recent risk assessment for each business unit (or the organization as a whole) .

The Common Control IDs associated with this metric are as follows:

Risk action plan in light of risk assessment findings [UCF Control ID 00705]

Safeguard selection and prioritization in light of risk assessment findings [UCF Control ID 00707]

Supporting and supported controls

This control directly supports:

Establish and maintain an information systems architecture metrics program [UCF Control ID 02059]

There are no supporting controls.

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE14.1; IIA Global Technology Audit Guide (GTAG): Information Technology Controls, § 18.2

US Federal Security Guidance

The organization must measure and report on the percentage of information security risks related to systems architecture identified in the most recent risk assessment that have been adequately mitigated. [ISPE14.1, CISWG Information Security Program Elements, January 10,2005]

General Guidance

The purpose of this measurement is to measure the percentage of information security risks related to systems architecture identified in the most recent risk assessment that have been mitigated adequately. [§ 18.2, IIA Global Technology Audit Guide (GTAG): Information Technology Controls]