Number of identified and assessed most significant risks with effective KRI for

monitoring.

Effectiveness of Support, consulation and risk mitigation solution provide to the

business and functional units.

Number of major security incidents and effective management of the incidents to

reduce losses and customer impact.

Timely Development and updating of Information security policies, standards and

procedures to comply with changes in regulatory, emerging threats, and
technologies.

Percentage of Compliance with Information security regulations

Example 1: Percent (%) of reported cybersecurity incident investigations resolved

within an organizationally defined timeframe.

Example 2: Number of system vulnerabilities exploited by threat actors.

Example 3: Accuracy of cybersecurity protection assets (i.e. intrusion detection

systems, intrusion prevention systems, firewalls, etc.)

Example 1: Percentage (%) of system vulnerabilities for which patches have been
applied or that have been otherwise mitigated.

Example 2: Percentage (%) of system users who have conducted the mandatory
cybersecurity related training.

Example 3: Time since the last organizational risk assessment has been conducted.