Security Metrics

This Rules/Policy document is provided to you and your organization as a starting point or maturity checkpoint for existing rules/policies. It is brought to you on behalf of Jim McConnell, Principal Owner, and Ask McConnell, LLC — A Converged Security Services Provider. The content is not meant to cover every circumstance, industry, law, regulation, contractual requirement, threat, environment, or risk, but it provides an easy, defendable, highly accountable starting point for any organization. Please consult with your legal counsel and insurance provider about added requirements. If you know of peers that you think would find value in these resources, please have them contact us. These will be updated on our website regularly. We are not legally protecting these documents; we just ask for credit, shout-outs, and referrals if you find them helpful. If you have recommended updates, we are all ears. And if you need Converged Security Consulting and Training, please reach out, we would be honored to serve you and your organization.

Jim McConnell  |  info@askmcconnell.com  |  askmcconnell.com

Security Metrics Policy

Updated: 3 May 2025

Protecting human lives is the highest requirement of our entire organization, whether they are employees, customers, volunteers, visitors, or part of our supply chain while under some nexus to our organization.

Note: Jim McConnell’s book, Converged Security Metrics, provides over 500 metrics that can be considered when implementing these rules/policies. Also note that some of these rules may discourage people from wanting to measure security — so get input from both the provider of the metrics and the audience of the metrics.

  • I will report security concerns, vulnerabilities, and threats to my supervisor or the organization’s Ethics Hotline; if they are unavailable and I feel unsafe, I will call law enforcement.
  • I will track, with statistics and metrics, all security functions under my management control.
  • I will equally manage statistics-based security reporting AND metrics-based security reporting to senior leadership.
  • I will measure both transactional/incident/event-type statistics and metrics, but also maturity-based security metrics.
  • I will not withhold security statistics or security metrics from senior leadership that can have a positive or negative impact on individuals, leadership, or the organization.
  • If I am pressured to withhold any security statistics or security metrics by leadership, I will report the issue to the organization’s Ethics Hotline, General Counsel, or a government whistleblower program.
  • I will verify that all data and information I use to create my security statistics and security metrics is checked for integrity issues before publishing.
  • I will verify that all data and information I provide to another group who is building, managing, or presenting security metrics has been checked for integrity issues before it is published or presented.
  • I will protect any legally sensitive metrics using the principle of least privilege.
  • All presentations of statistics and metrics will be annotated with a fully transparent scope statement and any known integrity issues.

Signature Note: I am a huge fan of wet signatures on these types of documents for accountability and investigation reasons. You can add the signature lines below to each rule/policy document, or have a collective wet signature with references in the Security Commitment Agreement document available on the One-Pager library page. Organizational preference.

________________________
Print Full Legal Name

________________________
(Blue Ink) Full Legal Signature
Style of signature must closely match Driver’s License

________________________
Date

🖶 To save or print this policy, use your browser’s Print function (Ctrl+P / Cmd+P) and select “Save as PDF” if needed.