Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mission and Metrics from different views: Firm/Agency, Industry (financial services), and Profession Daguio Vancouver Metricon 1.0.

Published byBlake Harmon Modified over 6 years ago

Similar presentations

Presentation on theme: "Mission and Metrics from different views: Firm/Agency, Industry (financial services), and Profession Daguio Vancouver Metricon 1.0."— Presentation transcript:

1 Mission and Metrics from different views: Firm/Agency, Industry (financial services), and Profession Daguio Vancouver Metricon 1.0

2 All Programs Requires clear accountability and objectives, and audience specificity Risk and Compliance are related but separate domains to be managed and should be reported on keeping this in mind and serve different audiences. Decision-making processes are different for these domains. Metrics must serve a mission and a master. Different metrics may be of interest to different audiences who have different objectives. Governance and Accountability objectives usually come first before Availability, Integrity, and Confidentiality according to field experience of several teams interviewed.

3 The first questions we must ask will nearly always be related to governance and objectives:
Who are we? Ours and Others’ Roles and Responsibilities Why are we here? The Organizational Mission and Our Tasking What is at risk? Information, Intellectual Property, IT Systems What are the rules? Policies, Laws, etc. What are the risks? Threats, Vulnerabilities, Controls What resources are available? People, Ideas, Technology, Budget, Time, etc. What is at stake? Is the mission/resource critical to the organization or to us?

4 INFORMATION ASSURANCE
Model shown - Mission Driven Information Assurance Risk and Security Management in context, not a vacuum Mission Driven Model - Layers (Daguio 2004) 15 Natural Law (Physical and Moral) Governance 14 Ethics (Evolved and Created) 13 Law (Agreement, Local, State, National, International Law) 12 Policy (Organizational, and Others) 11 Strategy/Plans Mission 10 Value to Users 9 Services to Users 8 Business Process 7 Application Mission/OSI/ISO 6 Presentation OSI/ISO 5 Session 4 Transport 3 Network 2 Datalink 1 Physical

5 Firm/Agency Intended to
Help manage risk and compliance Support decision-making Support actions Support accountability Starting with Governance and Accountability is critical Agreed objectives and metrics program related measures are starting point Maturity models are a good source of management metrics Interval measures are ok as long as comparisons are not possible

6 Industry/Sector Financial Services – ABA, FIPA, BITS, etc Intended to:
Promote trust and confidence Improve cost effectiveness of programs Prevent new regulatory measures or spread them to others Agreed objectives and metrics program related measures are starting point Baseline and aspirational models are key Maturity models are a good source of management metrics Safest to do nominal and ordinal measures only to prevent comparison.

7 Profession CSO Executive Council is producing tools to provide senior practitioners with tools they can use that can be adapted to their organization’s needs.

8 FIELD EXPERIENCE Metrics program are often the undoing of CSOs since the expectations of C-level executives are often not met. Metrics programs can also negatively impact companies or agencies and industries. Data collected or reported on without context and meaning, or of low quality has caused greater harm than good. Often availability of data and analysis are used against the interests of the security community. Sometimes the primary benefit from these programs came from the discipline and awareness benefits imposed by the measurement and reporting requirements. In other cases the sharing and alignment of objectives that occurred lead to program effectiveness improvements.

9

Download ppt "Mission and Metrics from different views: Firm/Agency, Industry (financial services), and Profession Daguio Vancouver Metricon 1.0."

Similar presentations

Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Project Management Basics

Project Management Basics
Lecture 3 Strategic Planning for IT Projects (Chapter 7)

Lecture 3 Strategic Planning for IT Projects (Chapter 7)
Charting a course PROCESS.

Charting a course PROCESS.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Information Technology Audit

Information Technology Audit
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Mission and Metrics from different views: Firm/Agency, Industry (financial services), and Profession Daguio Vancouver Metricon 1.0.

Mission and Metrics from different views: Firm/Agency, Industry (financial services), and Profession Daguio Vancouver Metricon 1.0.
Social Media Jeevan Kaur, Michael Mai, Jing Jiang.

Social Media Jeevan Kaur, Michael Mai, Jing Jiang.
Continual Service Improvement Process

Continual Service Improvement Process
Test Organization and Management

Test Organization and Management
CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.

CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.
What is a Business Analyst? A Business Analyst is someone who works as a liaison among stakeholders in order to elicit, analyze, communicate and validate.

What is a Business Analyst? A Business Analyst is someone who works as a liaison among stakeholders in order to elicit, analyze, communicate and validate.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.

Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.

Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
Process Assessment Method

Process Assessment Method
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Corporate Ethics Programs What are they? A systematic approach to raise employees’ ethical awareness –By education –By providing resources to identify.

Corporate Ethics Programs What are they? A systematic approach to raise employees’ ethical awareness –By education –By providing resources to identify.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Enterprise Cybersecurity Strategy

Enterprise Cybersecurity Strategy

Similar presentations

Ads by Google