How and when will the baselines be defined?
<--- Score
103. What is the scope of the IT security risk assessment work?
<--- Score
104. What are the rough order estimates on cost savings/opportunities that IT security risk assessment brings?
<--- Score
105. What are the IT security risk assessment use cases?
<--- Score
106. How is the team tracking and documenting its work?
<--- Score
107. How do you hand over IT security risk assessment context?
<--- Score
108. Has your scope been defined?
<--- Score
109. What IT security risk assessment services do you require?
<--- Score
110. What are the Roles and Responsibilities for each team member and its leadership? Where is this documented?
<--- Score
111. What would be the goal or target for a IT security risk assessment’s improvement team?
<--- Score
112. Has a high-level ‘as is’ process map been completed, verified and validated?
<--- Score
113. The political context: who holds power?
<--- Score
114. What is the definition of IT security risk assessment excellence?
<--- Score
115. How do you gather requirements?
<--- Score
116. How did the IT security risk assessment manager receive input to the development of a IT security risk assessment improvement plan and the estimated completion dates/times of each activity?
<--- Score
117. Will a IT security risk assessment production readiness review be required?
<--- Score
118. Have the customer needs been translated into specific, measurable requirements? How?
<--- Score
119. Is the current ‘as is’ process being followed? If not, what are the discrepancies?
<--- Score
120. Do you all define IT security risk assessment in the same way?
<--- Score
121. Has the IT security risk assessment work been fairly and/or equitably divided and delegated among team members who are qualified and capable to perform the work? Has everyone contributed?
<--- Score
122. What scope to assess?
<--- Score
123. What happens if IT security risk assessment’s scope changes?
<--- Score
124. Who is gathering information?
<--- Score
125. How do you manage changes in IT security risk assessment requirements?
<--- Score
126. Has the direction changed at all during the course of IT security risk assessment? If so, when did it change and why?
<--- Score
127. Has the improvement team collected the ‘voice of the customer’ (obtained feedback – qualitative and quantitative)?
<--- Score
128. When are meeting minutes sent out? Who is on the distribution list?
<--- Score
129. Is the team adequately staffed with the desired cross-functionality? If not, what additional resources are available to the team?
<--- Score
130. How do you gather the stories?
<--- Score
131. What is in the scope and what is not in scope?
<--- Score
132. What baselines are required to be defined and managed?
<--- Score
133. Is it clearly defined in and to your organization what you do?
<--- Score
134. How do you manage scope?
<--- Score
135. Is there a critical path to deliver IT security risk assessment results?
<--- Score
136. What system do you use for gathering IT security risk assessment information?
<--- Score
137. Are there different segments of customers?
<--- Score
138. How will variation in the actual durations of each activity be dealt with to ensure that the expected IT security risk assessment results are met?
<--- Score
Add up total points for this section: _____ = Total points for this section
Divided by: ______ (number of statements answered) = ______ Average score for this section
Transfer your score to the IT security risk assessment Index at the beginning of the Self-Assessment.
CRITERION #3: MEASURE:
INTENT: Gather the correct data. Measure the current performance and evolution of the situation.
In my belief, the answer to this question is clearly defined:
5 Strongly Agree
4 Agree
3 Neutral
2 Disagree
1 Strongly Disagree
