E- Monitoring Responsibilities and Metrics Flashcards
Monitoring Responsibilities
helps an organization confirm that the correct jobs are being carried out in the right way.
Some Tools of monitoring
- Controls and internal audit
- Metrics and reporting
- Work measurement
- Performance measurement
- 360 feedback
- Position benchmarking
360 feedback
Soliciting structured feedback from peers, subordinates, and management helps subjects and management better understand characteristics related to specific responsibilities.
What are metrics
Means through which management can measure key processes and know whether their strategies are working
Security Metrics
Security metrics are often used to observe technical IT security controls and processes and to know whether they are operating properly.
They include metrics such as KRIs, KGIs, and KPIs.
Key risk indicators (KRIs)
Metrics associated with the measurement of risk.
Key Goal Indicator (KGIS)
Metrics that portray the attainment of strategic goals.
Key Performance Indicators (KPIs)
Metrics used to show efficiency or effectiveness of security-related activities.
When can metrics be effective
They need to be measurable
SMART Method
Specific , Measurable, Attainable, Relevant, Timely.
SMART ensures the quality and effectiveness of a Metric.
Other consideration for Good metrics
- Leading indicator: Does the metric help management to predict future risk?
- Causal relationship: Does the metric have a defensible causal relationship to a business impact, where a change in the metric compels someone to act?
- Influence: Has the metric influenced decision-making (or will it)?
What a security program strategy and objectives should contain?
Statements that can be translated into key measurements - The key performance and risk metrics of the program
How do you measure the success of a risk management program
By indirect measurements like improving trends such as:
- Reduction in the number of securities incidents.
- Reduction in the impact of security incidents,
- Reduction in the time to remediation vulnerabilities
- Etc…
What should a security program IMPROVING its maturity from low levels should first expect to see
The number of incidents increase.
What should a security program that is IMPROVED and matures over time should expect to see
The number of new risks will, at first, increase and then later decrease.
What performance measurement metrics of information security provide
A view of tactical security processes and activities.
Performance measurement metrics can include
- Time to detect security incidents
- Time to remediate security incidents
- Time to provision user accounts
- Time to deprovision user accounts
- Time to discover vulnerabilities
On what value delivery metrics focus on?
On the long-term reduction of cost, in proportion to other measures.
Example of value delivery metrics
- Control Used
- Percentage of controls that are effective
- Program costs per asset population or asset value
- Program costs per employee population
- Program costs per revenue.
What metrics should be used with caution
Value Delivery Metrics. It should be used in combination with another metrics to avoid wrong metrics results.
Resource management metric
Similar to value delivery, but has emphasis is placed on program efficiency.
Balanced Scorecard
A management tool that is used to measure the performance, effectiveness and progress of an organization.
The Four perspectives of the Balanced Scorecard
1-Finance
2-Customer
3-Internal Processes
4-Innovation and learning
Business Model for Information Security (BMIS)
A guide for business-aligned, risk based security governance.
Security Balanced Scorecard
Used to specifically measure security organization performance and results.
The Four perspectives of the Security Balanced Scorecard
Same as the Balance ScoreCard. 1-Finance 2-Customer 3-Internal Processes 4-Innovation and learning
From where is the security balanced scorecard derived from
From the organization’s overall balanced score card and its IT balanced Scorecard
Why is the security balanced scorecard derived from the organization’s overall balanced score card and its IT balanced Scorecard
To ensure that security will align itself with corporate objectives.
ROSI ?
When it’s easy to compute it?
Return On Security Investment it easier to be computed for events that occur more frequently.
Key in Balanced Score Card
- Financial
- Customer
- Internal process
- Innovation