GOV-05.1: Key Performance Indicators (KPIs)

There is no evidence of a capability to develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the cybersecurity and data protection program.

C|P-CMM1 is N/A, since a structured process is required to develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the cybersecurity and data protection program.

C|P-CMM2 is N/A, since a well-defined process is required to develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the cybersecurity and data protection program.

Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Statutory, regulatory and contractual compliance requirements for cybersecurity and data protection are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
• A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
• Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data protection.
• Controls are standardized across the organization to ensure uniformity and consistent execution.
• Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
• Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
• Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
• The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
• Risk management processes are defined, to include materiality considerations.

Cybersecurity & Privacy Governance (GOV) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Metrics are developed that provide management insight, per a quantitative understanding of process capabilities, to predict optimal performance, ensure continued operations and identify areas for improvement.
• Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
• Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
• Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
• Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
• Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
• Both business and technical stakeholders are involved in reviewing and approving proposed changes.

Cybersecurity & Privacy Governance (GOV) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
• Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.