ISMS, IT Key Performance Indicators

Corporate Function - IT

Author
Owner
Organization
Approver
Document ID
Document location

Change History
Version Status Date Author Owner Reviewed by Reviewed date Approver Approval date Description of changes

1.0 Draft

# Nokia internal use

 Key Performance
S. No Information Security Objectives Functional Objectives
Indicators
1 Malware Protection on AWS To protect Authbridge’s information assets Authbridge information
through safeguarding its confidentiality, systems, data and utilities
integrity and availability are appropriately secured
from unauthorised
changes and are accurate
and available when
needed. Appropriate
restriction is maintained
on disclosure of
information and access to
individuals based on
responsibilities.

2 Malware Protection on To protect Authbridge’s information assets

Workstations through safeguarding its confidentiality,
integrity and availability

3 Business Continuity and To ensure that Authbridge is able to

Disaster Recovery: On-Time continue and/or rapidly recover its business
Remediation of Service operations in the event of a detrimental
Continuity Test Findings information security incident

4 DLP Ensure policies effectively block or flag data

exfiltration attempts.

5 On-Time Removal of To ensure accountability of user actions

Unauthorized Third Party carried out using Authbridge information
Access systems
6 Admin Accounts Segregation To establish effective governance
of Duties arrangements including accountability and
responsibility for information security
within Authbridge

7 Event Logging To implement mechanisms to ensure that

all breaches of information security and
suspected weaknesses are reported,
investigated and followed by an adequate
action

To ensure accountability of user actions

carried out using Authbridge information
systems;

8 Review of Server Room Access To protect Authbridge’s information assets

Rights Sector 123 through safeguarding its confidentiality,
integrity and availability

9 Database (SQL) Up Time (Availability Management)

10 E Mail Management Up Time (Availability Management)
Messaging Application availability
Functional Objectives Objective of Metrics
To protect the Cloud from Measures the percentage of malware protection
malicious software's/viruses controls operating effectiveness on AWS.
Measurement criteria includes:
1. Malware Scanning Software current version
installed on the servers
2. Up-to-date malware virus definition (within 2
calendar days of release)
3. Malware scans performed (At least every 7
calendar days)
4. Detected malwares removed (Within 3
calendar days of detection)

To protect the Workstations Measures the percentage of malware protection

from malicious software's/ controls operating effectiveness on AWS.
viruses Measurement criteria includes:
1. Malware Scanning Software current version
installed on the servers
2. Up-to-date malware virus definition (within 2
calendar days of release)
3. Malware scans performed (At least every 7
calendar days)
4. Detected malwares removed (Within 3
calendar days of detection)

To maintain continuity of Measures the percentage of Service Continuity Test

Application/IT Services Findings in the Providers’ scope approved by
Customer for remediation that were completed on
time within the Measurement Period.
Remediation of a Service Continuity Test Finding is
deemed on time when the remediation is completed
by the recorded due date. Defects are to be
remediated within sixty (60) calendar days of
identification, unless otherwise agreed.

To maintain track of security 1. Track total attempts to send sensitive data

events externally (email, web, USB, etc.).

2. Count how many incidents were blocked or

flagged by DLP policies.

To prevent unauthorized third Measures the percentage of Unauthorized Third

party access to Authbridge Party Connections that were removed on time within
systems, services and network the Measurement Period.
Note: Unauthorized Third Party Connections are to
be removed within ten (10) calendar days of from
identification.
To ensure separation of duties Measures the percentage of privileged user accounts
among admin accounts assessed within the measurement period that do not
have domain administration rights (compliance).

To ensure systems monitored Measures the percentage of nominated systems

are sending logs in a compliant sending security event logs in the compliant format.
format

To prevent unauthorized Measures the effectiveness of updation of list of

access to server rooms users with access to server rooms monthly

To maintain 100% DB Measures the effectives of DB uptime.

Available
To maintain 100% Available Measures the uptime of Emails.
 Metrics Threshold Frequency
Malware Protection on Servers = (A/B), where 1 Monthly
A = The number of Servers that meet all of the malware
protection criteria within the Measurement Period.
B = The total number of Servers assessed within the
Measurement Period.

Malware Protection on Workstations = (A/B), where >= 97.00% Monthly

A = The number of Workstations that meet all of the
malware protection criteria within the Measurement
Period.
B = The total number of Workstations assessed within the
Measurement Period.

On- Time Remediation of Service Continuity Test Findings >= 90.00% Quarterly
= (A/(B+C)), where
A = The number of Service Continuity Test Findings
remediated on time within the Measurement Period.
B = The total number of Service Continuity Test Findings
remediated within the Measurement Period.
C = The number of Service Continuity Test Findings
remediated later than thirty (30) calendar days after the
recorded due date within the Measurement Period.

(Blocked or Flagged Attempts / Total Attempts) × 100% >= 95.00% Monthly

On- Time Remediation Removal of Unauthorized Third >= 99.00% Monthly

Party Connectivity = (A/(B+C)), where
A = The number of Unauthorized Third Party Connections
removed on time within the Measurement Period.
B = The total number of Unauthorized Third Party
Connections removed within the Measurement Period.
C = The number of Unauthorized Third Party Connections
later than fifteen (15) calendar days from identification
removed after the recorded due date, within the
Measurement Period.
Administration Accounts Separation of Duty Compliance = >= 98.00% Monthly
(A-B)/A, where
A = Number of all Ecosystem Provider privileged user
accounts
B = Number of Ecosystem Provider privileged user
accounts that have domain administration rights

Security Log Source Compliance = (A / B),where >= 99.00% Monthly

A = Number of Customer nominated systems sending
security event logs in the compliant format within the
Measurement Period.
B = The total number of Customer nominated systems
assessed within the Measurement Period.

Duration between two successive reviews of users with NA Monthly

server room access < 30 days

>= 99.00% Monthly

>= 99.00% Monthly
Measurement ISO Control
Approach Reference
Percentage

Percentage

Percentage

Percentage

Percentage
Percentage

Percentage

NA
Key Performance Indicators

Incident Response Time on AWS Cloud

Vulnerability Remediation on AWS Instances
Backup and Restoration Success Rate
Access Control Compliance on AWS
Audit Log Monitoring on AWS
Patch Management Compliance on AWS Instances
Data Encryption Coverage for AWS Storage
Cloud Security Configurations Compliance
Firewall Rule Review and Updates
IAM Role Misuse Detection
S3 Bucket Misconfiguration Rate
Network Traffic Monitoring and Anomaly Detection
Multi-Factor Authentication (MFA) Compliance
AWS Security Groups Compliance
API Gateway Security Compliance
EBS Snapshot Validation and Recovery
Cloud Asset Inventory Accuracy
Resource Tagging Policy Compliance
Container Security on AWS (ECS/EKS)
Lambda Function Security Compliance
Information Security Objectives

Ensure timely response to security incidents to minimize impact.

Remediate vulnerabilities promptly to prevent exploitation.
Ensure data availability through successful backups and restorations.
Maintain strict access control to protect sensitive information.
Ensure all audit logs are monitored to detect and respond to anomalies.
Ensure timely application of patches to reduce risk exposure.
Protect data in storage with robust encryption mechanisms.
Ensure compliance with security configurations to reduce misconfigurations.
Ensure firewall rules are up to date and reduce risks from obsolete configurations.
Detect and prevent misuse of IAM roles to protect privileged accounts.
Ensure secure configuration of S3 buckets to prevent data exposure.
Monitor network traffic to detect and respond to anomalies effectively.
Ensure all user accounts have MFA enabled for enhanced security.
Ensure AWS Security Groups are configured as per defined standards.
Ensure secure configurations and access control for API Gateway.
Validate EBS snapshots for integrity and test restoration processes.
Maintain an accurate inventory of all AWS resources for security tracking.
Ensure all AWS resources comply with the defined tagging policy.
Secure containerized workloads on AWS against vulnerabilities.
Ensure compliance of Lambda functions with security best practices.
Metrics Threshol Frequency
d
Average response time to incidents on AWS Cloud (hours). <= 2 hours Monthly
Percentage of vulnerabilities remediated within SLA. >= 95% Monthly
Percentage of successful backups and restorations. >= 98% Monthly
Percentage of users with access levels compliant with policies. 1 Quarterly
Percentage of audit logs reviewed within defined intervals. >= 95% Monthly
Percentage of instances patched within SLA. >= 95% Monthly
Percentage of AWS storage encrypted. 1 Quarterly
Percentage of AWS resources compliant with security baselines. >= 95% Quarterly
Percentage of firewall rules reviewed and updated within SLA. >= 90% Quarterly
Percentage of detected misuse events addressed within SLA. >= 95% Monthly
Percentage of S3 buckets compliant with security configurations. >= 95% Monthly
Percentage of anomalies detected and responded to within SLA. >= 90% Monthly
Percentage of accounts with MFA enabled. 1 Monthly
Percentage of Security Groups compliant with policies. >= 95% Quarterly
Percentage of API Gateways compliant with security standards. >= 95% Quarterly
Percentage of successful recovery tests for EBS snapshots. >= 98% Quarterly
Percentage of resources accurately inventoried. 1 Quarterly
Percentage of resources compliant with tagging policies. >= 95% Monthly
Percentage of containerized workloads meeting security standards. >= 95% Quarterly
Percentage of Lambda functions compliant with security standards. >= 95% Monthly
Frequency ISO Control
Reference
Calculate the average response time from detection to resolution. A.16.1
Calculate remediated vulnerabilities / total identified vulnerabilities. A.12.6
Calculate successful backups or restorations / total attempts. A.12.3
Evaluate access control levels against policy-defined standards. A.9.1
Review logs processed against total audit logs within the period. A.12.4
Assess patched instances / total instances in scope. A.12.6
Assess encrypted storage / total storage instances. A.10.1
Evaluate compliant resources / total resources. A.14.2
Review and update firewall rules / total rules within the defined interval. A.13.1
Detect misuse events addressed / total misuse events identified. A.9.2
Assess compliant S3 buckets / total buckets. A.12.6
Monitor anomalies detected and responded / total detected anomalies. A.12.4
Assess accounts with MFA enabled / total accounts. A.9.4
Evaluate compliant Security Groups / total Security Groups. A.13.1
Assess compliant API Gateways / total API Gateways. A.13.2
Assess successful EBS snapshot recoveries / total recoveries tested. A.12.3
Evaluate accurate inventory items / total items in inventory. A.8.1
Evaluate resources compliant with tagging policies / total resources. A.8.1
Evaluate containerized workloads meeting security standards / total workloads. A.14.1
Assess compliant Lambda functions / total Lambda functions. A.14.2
Detailed Information Security Objectives

To ensure that all security incidents on the AWS cloud infrastructure are promptly identified, analyzed, and resolved within defined timelin
To identify and remediate vulnerabilities in AWS cloud instances in accordance with defined SLAs, reducing the attack surface and preventi
To ensure regular backups of critical data and successful restorations during testing or actual incidents, thereby maintaining data integrity
To restrict unauthorized access to AWS resources and maintain compliance with access control policies, ensuring that only authorized pers
To ensure regular monitoring of AWS audit logs for unusual activities or security threats, enabling quick detection and mitigation of any po
To maintain updated patches on all AWS instances, addressing security vulnerabilities promptly to mitigate risks and comply with organiza
To safeguard sensitive data stored on AWS by ensuring robust encryption mechanisms are implemented and verified, protecting against u
To ensure all AWS resources are configured according to predefined security baselines, reducing misconfigurations that could expose the o
To ensure that AWS firewall rules are periodically reviewed and updated to address new security requirements and remove obsolete confi
To detect and mitigate any misuse or unauthorized activities associated with IAM roles, maintaining the integrity of privileged account acti
To identify and resolve misconfigurations in S3 buckets that may lead to unintentional exposure of sensitive information.
To monitor AWS network traffic for unusual patterns or potential threats and respond promptly to minimize the risk of network-based atta
To enhance user authentication security by enforcing multi-factor authentication across all accounts accessing AWS resources.
To ensure AWS Security Groups are properly configured to minimize exposure and adhere to the organization’s defined security policies
To verify that API Gateways are securely configured, preventing unauthorized access and ensuring secure communication of application in
To validate the integrity of EBS snapshots and conduct regular recovery tests to ensure that data restoration processes function effectively
To maintain an up-to-date and accurate inventory of AWS cloud assets, facilitating effective security management and compliance tracking
To ensure all AWS resources are tagged appropriately as per the organization’s policy, enabling efficient resource tracking and managem
To implement security controls for containerized workloads on AWS ECS/EKS to protect against container-specific vulnerabilities.
To ensure all Lambda functions comply with the organization’s security standards, protecting serverless workloads from potential risks.