05. Information Security Program Metrics Flashcards
Information Security Program Metrics
A measurement of a periodic or ongoing activity intended to help management understand the activity within the context of overall business operations.
A Metric
226
Information Security Program Metrics
Metrics are the means through which management can measure key processes and know…
whether their strategies are working
226
Information Security Program Metrics
Security metrics can be used to observe technical IT security controls and processes to determine if they are operating properly. Examples include…
- Firewall Metrics
- IDS/IPS Metrics
- Antimalware Metrics
- Others…
- Number and types of rules triggered
- Number and types of incidents detected or blocked
- Number and types of malware blocked
- DLP systems, web content filtering, CASB etc..
226
Information Security Program Metrics
Board of directors and executive management are interested non technical metrics and instead metrics that demonstrate..
the effectiveness or alignment of the organisations overall security program
226
Information Security Program Metrics
Metrics associated with risk measurement
Key Risk Indicators
(KRI)
226
Information Security Program Metrics
Metrics that portray the attainment of strategic goals
Key Goal Indicators
(KGI)
226
Information Security Program Metrics
Metrics that show the efficiency or effectiveness of security related activities
Key Performance Indicators
(KPI)
226
Monitoring
The continuous or regular evaluation of a system or control to determine its operation or effectiveness
Monitoring
227
Monitoring
Monitoring generally includes 2 activities…
- Management review of certain qualitative aspects of an information security program
- Management review of key metrics to understand effectiveness, efficieny, performance
227
Effective Metrics
For metrics to be effective, the need to be measurable. A SMART metric is…
- Specific
- Measurable
- Attainable
- Relevant
- Timely
227
Effective Metrics
3 considerations for good metrics is…
- Leading indicator
- Causal Relationship
- Influence
- Predict future risk?
- Causal relationship to business impact - a change in a metric causes someone to act
- Can the metric or has it, influence(d) decision making
227
Strategic Alignment
A security program strategy adn objectives should contain statements that…
can be translated into key measurements
Statements that can be the programs key performance and risk metrics
227
Types of metrics
Multiple activities and events in an information security program and its controls can be measured. 11 key examples include….
- Compliance
- Convergence
- Value Delivery
- Resource Management
- Organisational Awareness
- Operational Productivity
- Organisational Support
- Risk Management
- Technical Security Architecture
- Opertional Performance
- Security Cost Efficiency
228-231
Types of metrics
A metric used to measure key controls related to requirements in regulations, legal contracts, or internal objectives
Compliance Metric
228
Types of metrics
A metric that is highly individualised, based on specific circumstnaces in an organisation and may include one or more of the following;
- Gaps in asset coverage
- Overlaps in asset coverage
- Consolidation of licences for security tools
- Gaps or overlaps in skills, responsibilities, or coverage
Convergence Metric
228
Types of metrics
A metric focus on long-term reduction in costs in proportion to other measures
Value Delivery Metric
Organisations are cautioned against using only value delivery metrics as this will risk the security program reducing to nothing - where a program that costs nothing delivers the best metric
228/229
Types of metrics
A metric that reflects the efficient use of resources in an organisation that has a focus on program efficiency
Resource Management Metric
Standardisation of security related processes
Percentage of assets protected by security controls
229
Types of metrics
A metric that helps management understand the number of works who understand security policies and requirements.
Organisational Awareness Metric
Percentage of employees who complete security training
Percentage of employees who acknowledge awareness of security policies
229
Types of metrics
A metric which shows how efficiently internal staff are used to perform essential functions
Operational Productivity Metric
Number of hours required to perform a segregation of duties review
229
Types of metrics
A metric that shows the degree of support for organisational objectives - may often take the form of prodject and program dashboards
Organisational Support Metric
229
Types of metrics
A metric that is the culmination of the highest-order of activities in an information security program delivery, for example, identifying a reduction in the number of security incidents, or the reduction in the impact of security incidents
Risk Management Metric
REudction in the number of security incidents
Reduction in the impact of security incidents
Reduction in the time to remediate security incidents etc..
A security program that is maturing shoudl expect to see at first an increase in incidents before a decrease
230
Types of metrics
A metric that reflects the numbers of events that occur in automated systems such as firewalls, IDS/IPS systems, spam filters, and antimalware systems. Useful in raw form for the security manager, but will need additional contect adding to present to business management.
Technical Security Architecture Metric
Technical:
Number of attacks blocked by a firewall
For management;
Percentage of employees who responded to e-mail attacks
230
Types of metrics
A metric that generally shows how well personnel are performing critical security functions - for example, measuring the elasped time between the onset of a security incident and the incident being declared.
Operational Performance Metric
Elapsed time between onset of a security incident and incident declaration
Elapsed time between declaration of an incident and its containment
230
Types of metrics
A metric that measures the resources required for key controls, for example the cost of antimalware controls per user, or cost of anti-phishing and antispam controls per user
Security Cost Efficiency Metric
Cost of antimalware controls per user
Cost of anti-phising and antispam controls per user
231
Audiences
When building or improving a metrics program, security managers need to consider…
the purpose of any particular metric and the audience to whom it is sent
231
Return on Security Investment (ROSI)
A known issue when trying to demonstrate the benefits of return on security investments is that highly impactful security attacks are infrequent. As such…
Investments in information security controls may not have a noticeable effect
232
Return on Security Investment (ROSI)
The obligation of one party to act in the best interest of another party, of which security controls are are considered to be as an organisations responsibility.
Fiduciary Responsibility
232
Balanced Scorecard (BSC)
A tool used by management to measure an organisations performance and effectiveness by determining how well an organisation can fulfil its mission and strategic objectives and how well it is aligned with overall organisational objectives
Balanced Scorecard
(BSC)
232
Balanced Scorecard (BSC)
In a balanced scorecard, management defines key measurements in 4 perspectives
- Financial
- Customer
- Internal Processes
- Innovation and Learning
- Cost of strategic initiatives, support costs, capital investment
- Satisfaction rate of customer facing aspects of the organisation
- Number of projects and their effectiveness
- Human measurements i.e. turnover, illness, internal promotions, traning
233
Balanced Scorecard (BSC)
The security Balanced Scorecard should flow directly from the organisations overall security BSC and IT-BSC. This will ensure…
security will align itself with corporate objectives
233
