The use of Key Performance Indicators by Victorian Government departments and agencies is highly recommended. Their use is critical in order to ensure that IT asset management is being performed to a level that can maintain good cyber security. This guidance categorises KPIs into the following areas:
- IT Asset Identification
- IT Asset Vulnerability Identification
- IT Asset Lifecycle Management
- IT Asset Monitoring
- IT Asset Security Patching
- IT Asset Basic Security Controls
- IT Asset Disposal
Please contact the Cyber Security Branch at vicgov.ciso@dpc.vic.gov.au to access the resource WoVG IT Asset Management Cybersecurity KPIs for a comprehensive list of cybersecurity related KPIs.
This list of KPIs includes a suggestion as to which role (“Example Responsible Party”) in your organisation is responsible for each KPI. Note that the naming of these roles may be different, and that multiple roles may be fulfilled by the same person. If a role has been outsourced to a third party, the relevant KPIs against that role should be included in the contract with the third party (it is recommended that penalty clauses with recoup opportunities be included to ensure that the third party strives to meet the KPIs on an ongoing basis). If a role is fulfilled by a Victorian Public Servant, the KPI should be written into their Performance Plan.
Note that there are different suggested Target Asset Coverage KPIs, and Minimum Process Frequencies for IT assets being managed at “AMAF level 3 Competence” and “AMAF level 4 Optimising” levels of maturity.
The initial focus of implementing KPIs should be visibility i.e. an agency can start by measuring processes against the KPIs to see where they are at currently, and to identify missing processes and insufficient resourcing.
The recommended target KPIs may be adjusted by the WoVG IT Asset Management Working Group over time, if there is consensus that they are too high or too low, or where compensatory controls are in place. These recommended target KPIs are currently not mandatory. The final decision as to which target KPIs are applicable to an agency, and how high they should be, should rest with the agency’s management and Audit and Risk Committee, and be based on risk.
Updated