Controls measurement

Especially what is in the Access Policy with level of confusion responsibility for the implementation of this document
meant?

Acceptable Use Policy:
Validity and document management
This document is valid as of [date].
The owner of this document is [job title], who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
of incidents related to unacceptable or unauthorized use of information assets
number of incidents related to inappropriate employee training or awareness programs

Access Control Policy:
Validity and document management
This document is valid as of [date].
The owner of this document is [job title], who must check and, if necessary, update the document at least once every six months.
When evaluating the effectiveness and adequacy of this document, the following must be considered:
number of incidents related to unauthorized access to information
delayed change of access rights in case of change or termination of employment / contract
number of systems not included in this document
level of confusion responsibility for the implementation of this document

Answer:

Examples of how to measure these items are:
- Number of incidents related to unacceptable or unauthorized use of information assets: this information you must gather from evaluation of recorded incidents (filled in the Incident Log).
- Number of incidents related to inappropriate employee training or awareness programs: this information you must gather from evaluation of recorded incidents (filled in the Incident Log), compared to attendance lists from training and performed awareness activities (this way you can verify if people involved in incident have participate or not in training and awareness).
- number of incidents related to unauthorized access to information: this information you must gather from evaluation of recorded incidents (filled in the Incident Log).
- delayed change of access rights in case of change or termination of employment / contract: for evaluating this situation you must identify changes or termination of employment / contract performed by the HR team and track if access changes were raised, and when they where implemented (this second information will be normally found on IT area and the area responsible for physical access.
- number of systems not included in this document: In this case you must compare the information in the inventory of access with the content of the access control policy.
- level of confusion regarding responsibilities for the implementation of this document: In this case you must meet with personnel involved with the implementation of this policy and ask for their feedback regarding the policy implementation (e.g., if users requiring access know who to contact to ask for access to specific systems).