Mobius Consulting assisted with improving the reporting of information security at a financial institution through the use of appropriate information security metrics and measurements at the Board and Executive levels. The primary objective of the engagement was to define the information security metrics and measurements, based on best practices, that should be used for effective reporting at these various levels.
In order to complete this engagement, Mobius used a practical approach to:
- Identify the groups of Board and Executive level stakeholders that require security reporting for the governance and oversight of information security and understand their reporting expectations.
- Recommend metrics and measurements that should be used at the various levels based on best practices.
- Engage with the relevant members of the Information Security team to determine functional reporting requirements based on the stakeholder requirements.
- Prioritise the information security reporting requirements
- Shift the focus of the engagement to senior stakeholders’ expectations and not on operational level reports, these included:
- Board level: Reporting required by key corporate governance committees such as Exco;
- Executive level: Reporting required by IT Management and Information Security Management.
The end result – the client was able adopt metrics that were “fresh-thinking” and fit for purpose.
They are now able to use meaningful information security reporting across various levels for oversight, decision making and continuous improvement.
If you have any questions or would like know more about the approach we used, please contact us.