Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

05. CISM - Chapter 5 - Information Security Program Development > 05. Information Security Program Metrics > Flashcards

05. Information Security Program Metrics Flashcards

1
Q

Information Security Program Metrics

A measurement of a periodic or ongoing activity intended to help management understand the activity within the context of overall business operations.

A

A Metric

226

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Information Security Program Metrics

Metrics are the means through which management can measure key processes and know…

A

whether their strategies are working

226

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Information Security Program Metrics

Security metrics can be used to observe technical IT security controls and processes to determine if they are operating properly. Examples include…

A
  1. Firewall Metrics
  2. IDS/IPS Metrics
  3. Antimalware Metrics
  4. Others…

  1. Number and types of rules triggered
  2. Number and types of incidents detected or blocked
  3. Number and types of malware blocked
  4. DLP systems, web content filtering, CASB etc..

226

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Information Security Program Metrics

Board of directors and executive management are interested non technical metrics and instead metrics that demonstrate..

A

the effectiveness or alignment of the organisations overall security program

226

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Information Security Program Metrics

Metrics associated with risk measurement

A

Key Risk Indicators
(KRI)

226

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Information Security Program Metrics

Metrics that portray the attainment of strategic goals

A

Key Goal Indicators
(KGI)

226

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Information Security Program Metrics

Metrics that show the efficiency or effectiveness of security related activities

A

Key Performance Indicators
(KPI)

226

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Monitoring

The continuous or regular evaluation of a system or control to determine its operation or effectiveness

A

Monitoring

227

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Monitoring

Monitoring generally includes 2 activities…

A
  1. Management review of certain qualitative aspects of an information security program
  2. Management review of key metrics to understand effectiveness, efficieny, performance

227

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Effective Metrics

For metrics to be effective, the need to be measurable. A SMART metric is…

A
  1. Specific
  2. Measurable
  3. Attainable
  4. Relevant
  5. Timely

227

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Effective Metrics

3 considerations for good metrics is…

A
  1. Leading indicator
  2. Causal Relationship
  3. Influence

  1. Predict future risk?
  2. Causal relationship to business impact - a change in a metric causes someone to act
  3. Can the metric or has it, influence(d) decision making

227

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Strategic Alignment

A security program strategy adn objectives should contain statements that…

A

can be translated into key measurements

Statements that can be the programs key performance and risk metrics

227

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Types of metrics

Multiple activities and events in an information security program and its controls can be measured. 11 key examples include….

A
  1. Compliance
  2. Convergence
  3. Value Delivery
  4. Resource Management
  5. Organisational Awareness
  6. Operational Productivity
  7. Organisational Support
  8. Risk Management
  9. Technical Security Architecture
  10. Opertional Performance
  11. Security Cost Efficiency

228-231

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Types of metrics

A metric used to measure key controls related to requirements in regulations, legal contracts, or internal objectives

A

Compliance Metric

228

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Types of metrics

A metric that is highly individualised, based on specific circumstnaces in an organisation and may include one or more of the following;

  1. Gaps in asset coverage
  2. Overlaps in asset coverage
  3. Consolidation of licences for security tools
  4. Gaps or overlaps in skills, responsibilities, or coverage
A

Convergence Metric

228

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Types of metrics

A metric focus on long-term reduction in costs in proportion to other measures

A

Value Delivery Metric

Organisations are cautioned against using only value delivery metrics as this will risk the security program reducing to nothing - where a program that costs nothing delivers the best metric

228/229

17
Q

Types of metrics

A metric that reflects the efficient use of resources in an organisation that has a focus on program efficiency

A

Resource Management Metric

Standardisation of security related processes
Percentage of assets protected by security controls

229

18
Q

Types of metrics

A metric that helps management understand the number of works who understand security policies and requirements.

A

Organisational Awareness Metric

Percentage of employees who complete security training
Percentage of employees who acknowledge awareness of security policies

229

19
Q

Types of metrics

A metric which shows how efficiently internal staff are used to perform essential functions

A

Operational Productivity Metric

Number of hours required to perform a segregation of duties review

229

20
Q

Types of metrics

A metric that shows the degree of support for organisational objectives - may often take the form of prodject and program dashboards

A

Organisational Support Metric

229

21
Q

Types of metrics

A metric that is the culmination of the highest-order of activities in an information security program delivery, for example, identifying a reduction in the number of security incidents, or the reduction in the impact of security incidents

A

Risk Management Metric

REudction in the number of security incidents
Reduction in the impact of security incidents
Reduction in the time to remediate security incidents etc..
A security program that is maturing shoudl expect to see at first an increase in incidents before a decrease

230

22
Q

Types of metrics

A metric that reflects the numbers of events that occur in automated systems such as firewalls, IDS/IPS systems, spam filters, and antimalware systems. Useful in raw form for the security manager, but will need additional contect adding to present to business management.

A

Technical Security Architecture Metric

Technical:
Number of attacks blocked by a firewall
For management;
Percentage of employees who responded to e-mail attacks

230

23
Q

Types of metrics

A metric that generally shows how well personnel are performing critical security functions - for example, measuring the elasped time between the onset of a security incident and the incident being declared.

A

Operational Performance Metric

Elapsed time between onset of a security incident and incident declaration
Elapsed time between declaration of an incident and its containment

230

24
Q

Types of metrics

A metric that measures the resources required for key controls, for example the cost of antimalware controls per user, or cost of anti-phishing and antispam controls per user

A

Security Cost Efficiency Metric

Cost of antimalware controls per user
Cost of anti-phising and antispam controls per user

231

25
Q

Audiences

When building or improving a metrics program, security managers need to consider…

A

the purpose of any particular metric and the audience to whom it is sent

231

26
Q

Return on Security Investment (ROSI)

A known issue when trying to demonstrate the benefits of return on security investments is that highly impactful security attacks are infrequent. As such…

A

Investments in information security controls may not have a noticeable effect

232

27
Q

Return on Security Investment (ROSI)

The obligation of one party to act in the best interest of another party, of which security controls are are considered to be as an organisations responsibility.

A

Fiduciary Responsibility

232

28
Q

Balanced Scorecard (BSC)

A tool used by management to measure an organisations performance and effectiveness by determining how well an organisation can fulfil its mission and strategic objectives and how well it is aligned with overall organisational objectives

A

Balanced Scorecard
(BSC)

BSC

232

29
Q

Balanced Scorecard (BSC)

In a balanced scorecard, management defines key measurements in 4 perspectives

A
  1. Financial
  2. Customer
  3. Internal Processes
  4. Innovation and Learning

  1. Cost of strategic initiatives, support costs, capital investment
  2. Satisfaction rate of customer facing aspects of the organisation
  3. Number of projects and their effectiveness
  4. Human measurements i.e. turnover, illness, internal promotions, traning

233

30
Q

Balanced Scorecard (BSC)

The security Balanced Scorecard should flow directly from the organisations overall security BSC and IT-BSC. This will ensure…

A

security will align itself with corporate objectives

233

05. CISM - Chapter 5 - Information Security Program Development (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions