Compliance Metrics Catalogue

Percentage of open and approved policy exceptions that have not exceeded their due dates.

Breakdown of compliant and noncompliant user responses for the last six completed phishing campaigns.

Breakdown of compliant versus noncompliant responses for in progress phishing campaigns.

For Closed Vulnerabilities, mean time to remediate by Severity or other customer specified criteria.

Breakdown of compliance by product Category.

Breakdown of compliance by customer specified categories of privileged users, e.g., people with privileged access, service accounts with privileged access, privileged accounts not logged onto within 45 days, etc.

Breakdown of compliance by specific product.

The compliance percentage broken down by type of UAR, for example, reviews of privileged access, reviews of users of applications in scope for Sox, etc.

Breakdown of compliance by Operating System.

Breakdown of compliance by Device Type or Device Type Group. For example, policy exception compliance percentage for all laptops, or all end user devices.

Percentage of devices that have complete information documented.

Number of devices that are active on Non-CMDB sources but are not present in the CMDB.

Percent of devices that are missing required fields.

Percentage of devices that have a customer-specified level of compliance with the customer’s secure configuration baseline.

Percentage of devices that have the expected coverage for customer-configured security product categories, such as EDR or Zero Trust, where the product is active within a customer-specified time period, such as 7 days, and running the expected version.

Number of devices that have no recorded activity on Non-CMDB sources but are shown as active within the CMDB.

Breakdown of policy exceptions into the following groups:

• Exceptions that have more than 100 days until their due date.
• Exceptions that have less than or equal to 100 days and more than 50 days until their due date.
• Exception due in 50 days or less.

A graph for each policy risk level (e.g., critical, high, medium) showing these three statuses:

1. Open and not exceeded the due date (compliant, i.e., not past due)
2. Open and exceeded the due date (open and noncompliant)
3. Closed

The percentage of all logins where MFA was required per customer security policy and MFA was used.

Compliant and noncompliant MFA logons by application.

Number of vulnerabilities opened and closed within the past 7, 14, or 30 days.

For Open Vulnerabilities, graphs showing breakdown of number of days until the SLA is reached, and number of days past due if SLA exceeded.

Percentage of the total number of emails sent in the last six phishing campaigns with a compliant response (did not open, opened by did not take a noncompliant action, or opened and reported as a phishing email.

Percentage of customer-designated privileged users that are onboarded and managed by the customer’s Privilege Access Management solution.

Table showing assessment required for each vendor, and if they are up-to-date, and if any are past due.

• Shows one row for each vendor classification level (tier), and one column for each assessment type.

Breakdown of required fields as specified by the customer in their security policy.

• Shows one row for each customer-configured rule that checks if a field in the third-party system of record has an expected value.
• Shows one column for each vendor classification level (tier).

Breakdown of security training coming due (e.g., due in 30 days, due in 60 days), and training that is past due.

Percentage of customer-configured security training that was completed by its assigned due date out of all assigned security training. There can be multiple training courses being reported per staff member.

Breakdown of training compliance by customer-configured security training courses.

Percentage of active third-parties that have all customer-specified required fields (e.g., owner, classification/tier, etc.) documented in the customer’s source of record and for which all necessary assessments are up to date.

Percentage of UARs out of the total number of required UARs that have been completed by their due date. This will be over a customer-specified period so that the customer can align the reported status with an audit cycle. E.g., if the customer has a six-month cycle for their SOC 2 audits, what is the compliance percentage for UARs over the six-month period.

Users with the highest number of noncompliant MFA logons.

Number of Vendors per Organization is a breakdown of which organizations within the customer’s enterprise make of or own the relationship with the vendor.

Graph showing the number of third parties in each of the customer’s classification levels (i.e., tiers), such as critical, high, medium, etc.

Percentage of vulnerabilities that have been remediated within the customer’s SLA (usually based on vulnerability Severity) or that are still open but within SLA. If the customer does not have an SLA for certain vulnerabilities, such as those with Low Severity, they are not included in this calculation.