Information Security Program Status Report

A.

When presenting an information security program status report to senior management, the main focus should be on key performance indicators (KPIs).

KPIs are measurable values that demonstrate how effectively an organization is achieving its objectives. They are important because they provide insight into the performance of an organization's information security program, allowing senior management to make informed decisions and take corrective action when necessary.

Examples of KPIs that an information security manager might include in a status report include:

• Number of security incidents reported
• Time to detect and respond to security incidents
• Percentage of employees who have completed security awareness training
• Compliance with relevant regulations and standards
• Number of vulnerabilities identified and remediated
• Availability and uptime of critical systems and applications

By presenting KPIs in a status report, an information security manager can provide senior management with a clear and concise view of the organization's security posture. This can help senior management make informed decisions regarding resource allocation, risk management, and overall security strategy.

Critical risks indicators are also important, but they are typically more focused on specific risks or threats rather than overall program performance. Net present value (NPV) is a financial metric used to assess the profitability of an investment, and is not directly relevant to information security program status reporting. Key controls evaluation may be included as part of a broader assessment of program performance, but it is not the primary focus of a status report.