-
Notifications
You must be signed in to change notification settings - Fork 0
Metrics and Compliance
Coding-Autopilot-System CI edited this page May 27, 2026
·
1 revision
| KPI | Target | Cadence |
|---|---|---|
| Policy compliance rate | >= 95% | Weekly |
| Critical vulnerability MTTR | <= 7 days | Monthly |
| High-severity incident MTTC | <= 4 hours | Per incident |
| Audit evidence completeness | 100% for in-scope controls | Quarterly |
| Detection coverage (MITRE ATT&CK) | >= 70% of relevant techniques | Quarterly |
- Alert triage SLO: P1 alerts acknowledged within 15 minutes
- Incident response SLO: P1 containment within 4 hours
- Policy drift remediation SLO: critical drift resolved within 24 hours
- Access review completion: 100% within review window
| Control Domain | Coverage |
|---|---|
| Access control (A.5.15-A.5.18) | Identity baseline, PIM, access reviews |
| Logging and monitoring (A.8.15-A.8.16) | Sentinel, Log Analytics, alert tuning |
| Incident management (A.5.24-A.5.28) | IR runbooks, NIST lifecycle, post-incident review |
| Change management (A.8.32) | Standard/normal/emergency change paths |
| Risk management (A.5.3) | Risk register, exception handling, residual risk acceptance |
Full mapping: 10-audit-readiness.md
Security and Risk Management, Asset Security, Security Engineering, IAM, Security Assessment and Testing, Security Operations, Software Development Security.
| Level | Description |
|---|---|
| 1 - Initial | Ad-hoc security, no repeatable processes |
| 2 - Managed | Policy-as-code exists, basic monitoring |
| 3 - Defined | RACI defined, KPIs tracked, SLOs in place |
| 4 - Measured | KPI trends reviewed, SLO breach triggers improvement |
| 5 - Optimizing | Threat-informed, automated remediation, proactive posture |