Report on the percentage of information security risks related to systems architecture identified in the most recent risk assessment that have been adequately mitigated.

UCF ID: 02060
Control Type: Actionable Reports or measurements
Status: Live
Metric guidance

Calculation: The calculation for this metric is # of information security risks related to systems architecture identified in the most recent risk assessment that have been adequately mitigated / # of systems architecture information security risks.

Calculation source: No authority document source of information exists. The following formula was used: the number of system architecture risks that have been fixed enough to mitigate the identified risk divided by the number of security risks related to the systems architecture identified in the most recent risk assessment for each business unit (or the organization as a whole) .

The Common Control IDs associated with this metric are as follows:

    Establish and maintain a risk action plan based on the risk assessment findings. [UCF Control ID 00705]
    Prioritize and select safeguards based on the risk assessment findings. [UCF Control ID 00707]

Supporting and supported controls

This control directly supports:

    Establish and maintain an information systems architecture metrics program. [UCF Control ID 02059]

There are no supporting controls.

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE14.1; IIA Global Technology Audit Guide (GTAG): Information Technology Controls, § 18.2

US Federal Security Guidance

The organization must measure and report on the percentage of information security risks related to systems architecture identified in the most recent risk assessment that have been adequately mitigated. [ISPE14.1, CISWG Information Security Program Elements, January 10,2005]

General Guidance

The purpose of this measurement is to measure the percentage of information security risks related to systems architecture identified in the most recent risk assessment that have been mitigated adequately. [§ 18.2, IIA Global Technology Audit Guide (GTAG): Information Technology Controls]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.