The Orange Parachute solution for Information Security Metrics is based on an unmatched methodology and tools that blend service delivery, risk management, and business management into a cohesive and simple framework to deliver metrics that matter.

Phase I: Current Status Assessment
The initial activity is to determine the current state of metrics and generate a comprehensive report and plan to give guidance on the structure and development of your security metrics program.

• Review existing information security metrics
• Review a sampling of existing reports
• Perform a Gap Analysis between existing and recommended metrics
• Create a roadmap to achieve continuous process improvement

Phase II: Developing the Information Security Metrics Reporting Framework
Once the current state of metrics has been identified, a strategy will be formulated that will define which metrics are to be reported. The framework will consist of clear Key Performance Indicators for processes, technologies, and personnel involved and will also serve as a communication tool to develop the reporting structures, ensuring proper metrics reach the correct audience. The metrics will also generate annual goals for the program, such as "reducing insider threat", which turns into a host of KPI's for the managerial and operational resources.

• Map out existing processes for metrics definition
• Relate legal and regulatory requirements to definitive KPI's
• Establish Information Security Program goals
• Create reporting framework
• Establish reporting guidelines
• Establish a security metrics team
• Identify collection points and reporting mechanisms

Phase III: Implementation
Once the metrics framework has been developed, KPI's and Critical Success Factors have been defined, and the reporting process solidified, the program is ready for implementation. Orange Parachute leverages our methodology and framework and helps you to assess and leverage existing metrics software as the delivery vehicle for a comprehensive metrics program. This allows us to:

• Ensure that metrics are collected in an automated fashion
• Reduce the number of logical errors during metrics analysis
• Provide the ability to perform trend analysis against given program elements
• Ensure repeatable measurements
• Provide historical metrics data
• Make the collection, analysis, and communication of metrics quick, easy, and low cost
• Provide a mechanism to report metrics to parties who need to know by:
• Providing a rules based web portal
• For your eyes only score cards
• Summarized corporate barometers