MANAGEMENT of INFORMATION SECURITY, Fifth Edition.

Slides:



Advertisements
Similar presentations
Software Quality Assurance Plan
Advertisements

ORGANIZATION. 2 Problem scenario  Develop an organizational chart for your laboratory showing lines of authority from the head of the organization to.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Management of Information Security, 4th Edition
CPIS 357 Software Quality & Testing I.Rehab Bahaaddin Ashary Faculty of Computing and Information Technology Information Systems Department Fall 2010.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Dr. Julian Lo Consulting Director ITIL v3 Expert
Security Controls – What Works
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Security Management Practices
Computer Security: Principles and Practice
Configuration Management
What is Business Analysis Planning & Monitoring?
© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.
Security Management Practices
SEC835 Database and Web application security Information Security Architecture.
A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
NIST Special Publication Revision 1
COBIT - IT Governance.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Module N° 8 – SSP implementation plan. SSP – A structured approach Module 2 Basic safety management concepts Module 2 Basic safety management concepts.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
INFORMATION SECURITY MANAGEMENT L ECTURE 2: P LANNING FOR S ECURITY You got to be careful if you don’t know where you’re going, because you might not get.
Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.
IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
SecSDLC Chapter 2.
Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.
Project Management Strategies Hidden in the CMMI Rick Hefner, Northrop Grumman CMMI Technology Conference & User Group November.
Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Cmpe 589 Spring Fundamental Process and Process Management Concepts Process –the people, methods, and tools used to produce software products. –Improving.
INFORMATION SECURITY MANAGEMENT L ECTURE 2: P LANNING FOR S ECURITY You got to be careful if you don’t know where you’re going, because you might not get.
MANAGEMENT of INFORMATION SECURITY Third Edition C HAPTER 7 S ECURITY M ANAGEMENT P RACTICES In theory there is no difference between theory and practice,
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Organization and Implementation of a National Regulatory Program for the Control of Radiation Sources Program Performance Criteria.
Info-Tech Research Group1 1 Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine.
Selection Criteria and Invitational Priorities School Leadership Program U.S. Department of Education 2005.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition.
Phase-1: Prepare for the Change Why stepping back and preparing for the change is so important to successful adoption: Uniform and effective change adoption.
CMMI for Services, Version 1.3 Speaker: Business Excellence Date:
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Headquarters U.S. Air Force
Introduction for the Implementation of Software Configuration Management I thought I knew it all !
Configuration Management
Software Project Configuration Management
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Data Architecture World Class Operations - Impact Workshop.
CS4311 Spring 2011 Process Improvement Dr
Software Configuration Management
Introduction to the Federal Defense Acquisition Regulation
Software Requirements
MGT 498 Education for Service-- snaptutorial.com.
MGT 498 Teaching Effectively-- snaptutorial.com
Project Management Processes
Risk Management: Principles of risk, Types of risk and Risk strategies
Project Management Group
The value of the metrics standards within our compliance frameworks
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com
CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com
Presentation transcript:

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

PERFORMANCE MEASUREMENT IN INFOSEC MANAGEMENT 2 Management of Information Security, 5th Edition, © Cengage Learning

Performance Measures in InfoSec Management While CISOs sometimes claim that the costs and benefits and performance of InfoSec are almost impossible to measure, in fact they are measurable Doing so requires the design and ongoing use of an InfoSec performance management program based on effective performance metrics 3 Management of Information Security, 5th Edition, © Cengage Learning

InfoSec Performance Management Information security performance management is the process of designing, implementing and managing the use of the collected data elements (called measures or metrics) to determine the effectiveness of the overall security program Performance measurements (or measures) are data points or computed trends that may indicate the effectiveness of security countermeasures or controls—technical and managerial—as implemented in the organization 4 Management of Information Security, 5th Edition, © Cengage Learning

InfoSec Performance Management Organizations use three types of measurements: – Those that determine the effectiveness of the execution of InfoSec policy (like ISSPs) – Those that determine the effectiveness and/or efficiency of the delivery of information security services – Those that assess the impact of an incident or other security event on the organization or its mission 5 Management of Information Security, 5th Edition, © Cengage Learning

InfoSec Performance Management According to NIST SP R1 - Performance Measurement Guide for Information Security, the following factors must be considered during development and implementation of an information security performance management program: – Measurements must yield quantifiable information (percentages, averages, and numbers) – Data that supports the measurements needs to be readily obtainable – Only repeatable information security processes should be considered for measurement – Measurements must be useful for tracking performance and directing resources 6 Management of Information Security, 5th Edition, © Cengage Learning

InfoSec Performance Management Also according to SP R.1, four factors are critical to the success of an information security performance program: – Strong upper level management support – Practical InfoSec policies and procedures – Quantifiable performance measurements – Results-oriented measurement analysis 7 Management of Information Security, 5th Edition, © Cengage Learning

InfoSec Performance Management When an organization applies statistical and quantitative approaches of mathematical analysis to the process of measuring the activities and outcomes of the InfoSec program, it is using InfoSec metrics In some organizations, the terms metrics and measures are interchangeable. In others, the term “metrics” is used for more granular, detailed measurements, while the term “measurements” is used for aggregate, higher-level results 8 Management of Information Security, 5th Edition, © Cengage Learning

InfoSec Performance Management Before beginning the process of designing, collecting, and using measures, the CISO should be prepared to answer the following questions: – Why should these measurements be collected? – What specific measurements will be collected? – How will these measurements be collected? – When will these measurements be collected? – Who will collect these measurements? – Where (at what point in the function’s process) will these measurements be collected? 9 Management of Information Security, 5th Edition, © Cengage Learning

Building the Performance Measurement Program Even with strong management support, an information security measures program as part of a security performance management program must be able to demonstrate value to the organization One of the most popular among the many references that support the development of a process improvement and performance measures is the Capability Maturity Model Integrated (CMMI) from the CMMI Institute at Carnegie Mellon 10 Management of Information Security, 5th Edition, © Cengage Learning

Building the Performance Measures Program Another popular approach is the NIST SP R1: Performance Measurement for Information Security. This process is divided into two major activities: – Identification and definition of the current InfoSec program – Development and selection of specific measures to gauge the implementation, effectiveness, efficiency, and impact of the security controls 11 Management of Information Security, 5th Edition, © Cengage Learning

InfoSec Measures Development Process 12 Management of Information Security, 5th Edition, © Cengage Learning

Specifying InfoSec Measurements One of the critical tasks in the measurement process is to assess and quantify what will be measured While InfoSec planning and organizing activities may only require time estimates, you must obtain more detailed measurements when assessing the effort spent to complete production tasks and the time spent completing project tasks Measurements collected from production statistics depend greatly on the number of systems and the number of users of those systems Collecting measurements about project activities may be even more challenging, as the organization needs some mechanism to link the outcome of each project, in terms of loss control or risk reduction, to the resources consumed 13 Management of Information Security, 5th Edition, © Cengage Learning

Collecting InfoSec Measures Some thought must go into the processes used for data collection and record keeping Once the question of what to measure is answered, the how, when, where, and who questions of metrics collection must be addressed Designing the collection process requires thoughtful consideration of the intent of the metric along with a thorough knowledge of how production services are delivered 14 Management of Information Security, 5th Edition, © Cengage Learning

Measurements Development Approach One of the priorities in building an information security measurement program is determining whether these measures will be macro-focus or micro-focus, or some combination thereof – Macro-focus measurements examine the performance of the overall security program – Micro-focus measurements examine the performance of an individual controller or group of controls within the information security program What is important is that the measurements are specifically tied to individual InfoSec goals and objectives 15 Management of Information Security, 5th Edition, © Cengage Learning

Measurement Prioritization and Selection Because organizations seem to manage what they measure, it is important to ensure that individual metrics are prioritized in the same manner as the processes they measure This can be achieved with a simple low-, medium-, or high-priority ranking system, or a weighted scale approach, which would involve assigning values to each measure based on its importance in the overall information security program, and on the overall risk mitigation goals and the criticality of the systems While there are literally hundreds of measurements that could be used, only those associated with appropriate-level priority activities should be incorporated 16 Management of Information Security, 5th Edition, © Cengage Learning

Establishing Performance Targets Performance targets make it possible to define success in the security program Many InfoSec performance measurements targets are represented by a 100% target goal Other types of performance measures, such as those used to determine relative effectiveness or efficiency or impact of information security on the organization’s goals, tend to be more subjective and require solid native and subjective reasoning One of the fundamental challenges in InfoSec performance measurement is defining effective security; in other words when is InfoSec effective? 17 Management of Information Security, 5th Edition, © Cengage Learning

Performance Measurement Template and Instructions 18 Management of Information Security, 5th Edition, © Cengage Learning

Performance Measurement Template and Instructions 19 Management of Information Security, 5th Edition, © Cengage Learning

Performance Measurement Example 20 Management of Information Security, 5th Edition, © Cengage Learning

Examples of Possible Security Performance Measures Percentage of the organization's information systems budget devoted to information security Percentage of high vulnerabilities mitigated within organizationally defined time periods after discovery Percentage space of remote access points used to gain unauthorized access Percentage of information systems personnel that have received security training Average frequency of audit records review and analysis for inappropriate activity Percentage of new systems that have completed certification and accreditation prior to their implementation Percentage approved and implemented configuration changes identified in the latest automated baseline configuration Percentage of information systems that have conducted annual contingency plan testing Percentage of users with access to shared accounts Percentage of incidents reported within required time frame per applicable incident category Percentage of system components that undergo maintenance in accordance with formal maintenance schedules 21 Management of Information Security, 5th Edition, © Cengage Learning

Examples of Possible Security Performance Measures (cont) Percentage of media that passes sanitization procedures testing Percentage of physical security incidents allowing unauthorized entry into facilities containing information assets Percentage of employees who are authorized access to information systems only after they sign an acknowledgment that they have read and understood the appropriate policies Percentage of individual screened before being granted access to organizational information and information systems Percentage of vulnerabilities remediated within organization- specified time frames Percentage of system and service acquisition contracts that include security requirements and/or specifications Percentage of mobile computers and devices that perform all cryptographic operations using organizationally specified cryptographic modules operating in approved modes of operations Percentage of operating system vulnerabilities for which patches have been applied or that have been otherwise mitigated 22 Management of Information Security, 5th Edition, © Cengage Learning

InfoSec Performance Measurement Implementation Once developed, information security performance measurements must be implemented and integrated into ongoing information security management operations For the most part, it is insufficient to simply collect these measures once Performance measurement is an ongoing, continuous improvement operation 23 Management of Information Security, 5th Edition, © Cengage Learning

NIST InfoSec Performance Measurement Implementation Phase 1—Prepare for data collection; identify, define, develop, and select InfoSec measures Phase 2—Collect data and analyze results; collect, aggregate, and consolidate metric data collection and compare measurements with targets (gap analysis) Phase 3—Identify corrective actions; develop a plan to serve as the roadmap for closing the gap identified in Phase 2 Phase 4—Develop the business case Phase 5—Obtain resources; address the budgeting cycle for acquiring resources needed to implement remediation actions identified in Phase 3 Phase 6—Apply corrective actions; close the gap by implementing the recommended corrective actions in the security program or in the security controls 24 Management of Information Security, 5th Edition, © Cengage Learning

Implementing the InfoSec Measurement Program 25 Management of Information Security, 5th Edition, © Cengage Learning

Reporting InfoSec Performance Measurements In most cases, simply listing the measurements collected does not adequately convey their meaning In addition, you must make decisions about how to present correlated metrics The CISO must also consider to whom the results of the performance measures program should be disseminated, and how they should be delivered 26 Management of Information Security, 5th Edition, © Cengage Learning

Security Dashboard 27 Management of Information Security, 5th Edition, © Cengage Learning

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.