<--- Score
121. Has the IT security risk assessment work been fairly and/or equitably divided and delegated among team members who are qualified and capable to perform the work? Has everyone contributed?
<--- Score
122. What scope to assess?
<--- Score
123. What happens if IT security risk assessment’s scope changes?
<--- Score
124. Who is gathering information?
<--- Score
125. How do you manage changes in IT security risk assessment requirements?
<--- Score
126. Has the direction changed at all during the course of IT security risk assessment? If so, when did it change and why?
<--- Score
127. Has the improvement team collected the ‘voice of the customer’ (obtained feedback – qualitative and quantitative)?
<--- Score
128. When are meeting minutes sent out? Who is on the distribution list?
<--- Score
129. Is the team adequately staffed with the desired cross-functionality? If not, what additional resources are available to the team?
<--- Score
130. How do you gather the stories?
<--- Score
131. What is in the scope and what is not in scope?
<--- Score
132. What baselines are required to be defined and managed?
<--- Score
133. Is it clearly defined in and to your organization what you do?
<--- Score
134. How do you manage scope?
<--- Score
135. Is there a critical path to deliver IT security risk assessment results?
<--- Score
136. What system do you use for gathering IT security risk assessment information?
<--- Score
137. Are there different segments of customers?
<--- Score
138. How will variation in the actual durations of each activity be dealt with to ensure that the expected IT security risk assessment results are met?
<--- Score
Add up total points for this section: _____ = Total points for this section
Divided by: ______ (number of statements answered) = ______ Average score for this section
Transfer your score to the IT security risk assessment Index at the beginning of the Self-Assessment.
CRITERION #3: MEASURE:
INTENT: Gather the correct data. Measure the current performance and evolution of the situation.
In my belief, the answer to this question is clearly defined:
5 Strongly Agree
4 Agree
3 Neutral
2 Disagree
1 Strongly Disagree
1. What drives O&M cost?
<--- Score
2. How do your measurements capture actionable IT security risk assessment information for use in exceeding your customers expectations and securing your customers engagement?
<--- Score
3. How do you measure variability?
<--- Score
4. Have you included everything in your IT security risk assessment cost models?
<--- Score
5. How can you manage cost down?
<--- Score
6. How are costs allocated?
<--- Score
7. What does losing customers cost your organization?
<--- Score
8. Are the units of measure consistent?
<--- Score
9. Are the measurements objective?
<--- Score
10. What do people want to verify?
<--- Score
11. Are actual costs in line with budgeted costs?
<--- Score
12. What could cause you to change course?
<--- Score
13. How will your organization measure success?
<--- Score
14. What is the cause of any IT security risk assessment gaps?
<--- Score
15. What are allowable costs?
<--- Score
16. What are hidden IT security risk assessment quality costs?
<--- Score
17. Are you able to realize any cost savings?
<--- Score
18. Who pays the cost?
<--- Score
19. What harm might be caused?
<--- Score
20. Where is it measured?
<--- Score
21. Does the IT security risk assessment task fit the client’s priorities?
<--- Score
22. What is the total cost related to deploying IT security risk assessment, including any consulting or professional services?
<--- Score
23. How will costs be allocated?
<--- Score
24. What are the costs?
<--- Score
25. How do you verify and develop ideas and innovations?
<--- Score
26. How is performance measured?
<--- Score
27. What are the costs and benefits?
<--- Score
28. How will success or failure be measured?
<--- Score
29. How long to keep data and how to manage retention costs?
<--- Score
30. Did you tackle the cause or the symptom?
<--- Score
31. How do you aggregate measures across priorities?
<--- Score
32. How frequently do you track IT security risk assessment measures?
<--- Score
33. How do you quantify and qualify impacts?
<--- Score
34. What is measured? Why?
<--- Score
35. Which measures and indicators