Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mission and Metrics from different views: Firm/Agency, Industry (financial services), and Profession Daguio Vancouver Metricon 1.0.

Similar presentations


Presentation on theme: "Mission and Metrics from different views: Firm/Agency, Industry (financial services), and Profession Daguio Vancouver Metricon 1.0."— Presentation transcript:

1 Mission and Metrics from different views: Firm/Agency, Industry (financial services), and Profession Daguio Vancouver Metricon 1.0

2 All Programs Requires clear accountability and objectives, and audience specificity Risk and Compliance are related but separate domains to be managed and should be reported on keeping this in mind and serve different audiences. Decision-making processes are different for these domains. Metrics must serve a mission and a master. Different metrics may be of interest to different audiences who have different objectives. Governance and Accountability objectives usually come first before Availability, Integrity, and Confidentiality according to field experience of several teams interviewed.

3 The first questions we must ask will nearly always be related to governance and objectives:
Who are we? Ours and Others’ Roles and Responsibilities Why are we here? The Organizational Mission and Our Tasking What is at risk? Information, Intellectual Property, IT Systems What are the rules? Policies, Laws, etc. What are the risks? Threats, Vulnerabilities, Controls What resources are available? People, Ideas, Technology, Budget, Time, etc. What is at stake? Is the mission/resource critical to the organization or to us?

4 INFORMATION ASSURANCE
Model shown - Mission Driven Information Assurance Risk and Security Management in context, not a vacuum Mission Driven Model - Layers (Daguio 2004) 15 Natural Law (Physical and Moral) Governance 14 Ethics (Evolved and Created) 13 Law (Agreement, Local, State, National, International Law) 12 Policy (Organizational, and Others) 11 Strategy/Plans Mission 10 Value to Users 9 Services to Users 8 Business Process 7 Application Mission/OSI/ISO 6 Presentation OSI/ISO 5 Session 4 Transport 3 Network 2 Datalink 1 Physical

5 Firm/Agency Intended to
Help manage risk and compliance Support decision-making Support actions Support accountability Starting with Governance and Accountability is critical Agreed objectives and metrics program related measures are starting point Maturity models are a good source of management metrics Interval measures are ok as long as comparisons are not possible

6 Industry/Sector Financial Services – ABA, FIPA, BITS, etc Intended to:
Promote trust and confidence Improve cost effectiveness of programs Prevent new regulatory measures or spread them to others Agreed objectives and metrics program related measures are starting point Baseline and aspirational models are key Maturity models are a good source of management metrics Safest to do nominal and ordinal measures only to prevent comparison.

7 Profession CSO Executive Council is producing tools to provide senior practitioners with tools they can use that can be adapted to their organization’s needs.

8 FIELD EXPERIENCE Metrics program are often the undoing of CSOs since the expectations of C-level executives are often not met. Metrics programs can also negatively impact companies or agencies and industries. Data collected or reported on without context and meaning, or of low quality has caused greater harm than good. Often availability of data and analysis are used against the interests of the security community. Sometimes the primary benefit from these programs came from the discipline and awareness benefits imposed by the measurement and reporting requirements. In other cases the sharing and alignment of objectives that occurred lead to program effectiveness improvements.

9


Download ppt "Mission and Metrics from different views: Firm/Agency, Industry (financial services), and Profession Daguio Vancouver Metricon 1.0."

Similar presentations


Ads by Google