Information Security Metrics - PowerPoint PPT Presentation

About This Presentation
Title:

Information Security Metrics

Description:

Information Security Metrics Why Measure Information Security Improve accountability for security Better administer the security budget Allow to measure success ... – PowerPoint PPT presentation

Number of Views:1067
Avg rating:3.0/5.0
Slides: 15
Provided by: teaching91
Category:

less

Transcript and Presenter's Notes

Title: Information Security Metrics


1
Information Security Metrics
2
Why Measure Information Security
  • Improve accountability for security
  • Better administer the security budget
  • Allow to measure success/failure of investments
    made
  • Give a business value to security
  • Assess effectiveness of implemented processes,
    procedure and controls
  • Standard Compliance (ISO 27001)?

3
Why Measure Information Security (2)?
  • Ability to isolate problems
  • End up with data you can reuse -)?
  • Benchmarking
  • Ability to track the risk profile
  • Show commitment to proactive information security

4
Security Metrics? What's That?
  • Not shared understanding of
  • What they mean
  • What we can/should measure
  • How to define them
  • What to do with the measurement

5
Defining Security Metrics
  • Many definitions
  • Quantitative vs Qualitative
  • Thinkers vs Feelers
  • Simple vs Complex
  • Metrics are a system of parameters or ways of
    quantitative and periodic assessment of a process
    that is to be measured, along with the procedures
    to carry out such measurement and the procedures
    for the interpretation of the assessment in the
    light of previous or comparable assessments
    (Wikipedia)?
  • Monitor and measure implementation effectiveness
    of security controls within the context of the
    security program (NIST)?

6
Lots to Measure Here!
  • Information Security Management System
  • Management Processes
  • Business Processes
  • Procedures
  • Policies
  • Technical Controls
  • Level of Implementation
  • Effectiveness/Efficiency
  • Impact
  • User compliance
  • etc.

7
Classification of Security Metrics
  • NIST
  • Implementation, Effectiveness/Efficiency, Impact
  • 17 security control families
  • Time dimension
  • BSI (ISO 27001)?
  • Management controls, business processes,
    operational controls, technical controls, audits
    review and testing
  • 11 control objectives
  • Implementation, Effectiveness and Performance

8
Security Metrics for ISO 27001
9
Developing Security Metrics I
  • Implementation Metrics
  • Effectiveness and Efficiency Metrics
  • Impact Metrics
  • What do we measure?
  • Single Controls
  • Multiple Controls

NIST
10
Developing Security Metrics II
  • ISMS Metrics
  • Performance and Effectiveness
  • Not Implementation
  • Controls Metrics
  • Effectiveness and Implementation
  • Control or groups of controls

BSI-ISO27001
11
What's in a Metric
12
Conclusions...
  • Adopt a security metrics model (NIST/BSI)?
  • Included definition
  • Support for metrics development and follow up
  • What to measure
  • Not necessarily control specific
  • May aggregate more than one control according to
    goals
  • Start with high-priority controls/goals first
  • Linked to business objectives (Involve
    stakeholders)?

13
...conclusions
  • Types of Metrics
  • Implementation, effectiveness, efficiency and
    impact
  • Implementation
  • May be phased according to system's maturity
  • Remember data may not be available
  • Start from processes that are stable and from
    which data can be realistically obtained

14
References
  • NIST-SP 800-80 Guide for Developing Performance
    Metrics for Information Security (2006)?
  • Metrics templates and examples
  • NIST SP 800-55 Security Metrics Guide for
    Information Technology Systems (2003)?
  • Security Metrics Programme, sample IT security
    metrics
  • Humphreys T, Plate A 2006. Measuring the
    effectiveness of your ISMS implementations based
    on ISO/IEC 27001. British Standards Institution.
  • PDCA model, sample metrics
  • Security Metrics portal
  • http//teaching.shu.ac.uk/aces/ag/securitymetrics/
Write a Comment
User Comments (0)
About PowerShow.com