GRC-Ready Metrics   

GRC platforms are focused on efficiency. However, most GRC platforms offer no path to help a GRC customer advance on a path towards maturity. The Digital Security Program (DSP) can rapidly advance an organization to a high Capability Maturity Model (CMM) level of maturity, since the DSP comes with metrics, including recommended Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs).

Since a picture can be worth 1,000 words, the video to the right helps describe the methodology of how we developed the DSP so you can see examples of the hierarchy structure and overall flow of our documentation, including metrics.

   Metrics: What Right Looks Like   

The diagram shown below helps visualize the linkages in documentation that involve metrics:

  • CONTROL OBJECTIVES exist to support POLICIES

  • STANDARDS are written to support CONTROL OBJECTIVES

  • PROCEDURES are written to implement the requirements that STANDARDS establish

  • CONTROLS exist as a mechanism to assess/audit both the existence of PROCEDURES / STANDARDS and how well their capabilities are implemented and/or functioning

  • METRICS exist as a way to measure the performance of CONTROLS

 

2019 - CSOP - Cybersecurity Standardized