Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Almerindo Graziano Information Security Metrics.

Similar presentations

Presentation on theme: "© Almerindo Graziano Information Security Metrics."— Presentation transcript:

1 © Almerindo Graziano Information Security Metrics

2 © Almerindo Graziano Why Measure Information Security Improve accountability for security Better administer the “security” budget Allow to measure success/failure of investments made Give a business value to security Assess effectiveness of implemented processes, procedure and controls Standard Compliance (ISO 27001)‏

3 © Almerindo Graziano Why Measure Information Security (2)‏ Ability to isolate problems End up with data you can reuse :-)‏ Benchmarking Ability to track the risk profile Show commitment to proactive information security

4 © Almerindo Graziano Security Metrics? What's That? Not shared understanding of: What they mean What we can/should measure How to define them What to do with the measurement

5 © Almerindo Graziano Defining Security Metrics Many definitions  Quantitative vs Qualitative  Thinkers vs Feelers  Simple vs Complex “Metrics are a system of parameters or ways of quantitative and periodic assessment of a process that is to be measured, along with the procedures to carry out such measurement and the procedures for the interpretation of the assessment in the light of previous or comparable assessments (Wikipedia)‏ “Monitor and measure implementation effectiveness of security controls within the context of the security program” (NIST)‏

6 © Almerindo Graziano Lots to Measure Here! Information Security Management System Management Processes Business Processes Procedures Policies Technical Controls Level of Implementation Effectiveness/Efficiency Impact User compliance etc.

7 © Almerindo Graziano Classification of Security Metrics NIST  Implementation, Effectiveness/Efficiency, Impact  17 security control families  Time dimension BSI (ISO 27001)‏  Management controls, business processes, operational controls, technical controls, audits review and testing  11 control objectives  Implementation, Effectiveness and Performance

8 © Almerindo Graziano Security Metrics for ISO 27001

9 © Almerindo Graziano Developing Security Metrics I 1)Implementation Metrics 2)Effectiveness and Efficiency Metrics 3)Impact Metrics What do we measure? Single Controls Multiple Controls NIS T

10 © Almerindo Graziano Developing Security Metrics II ISMS Metrics  Performance and Effectiveness  Not Implementation Controls Metrics  Effectiveness and Implementation  Control or groups of controls BSI- ISO27001

11 © Almerindo Graziano What's in a Metric

12 © Almerindo Graziano Conclusions... Adopt a security metrics model (NIST/BSI)‏  Included definition  Support for metrics development and follow up What to measure  Not necessarily control specific  May aggregate more than one control according to goals  Start with high-priority controls/goals first  Linked to business objectives (Involve stakeholders)‏

13 © Almerindo Graziano...conclusions Types of Metrics  Implementation, effectiveness, efficiency and impact Implementation  May be phased according to system's maturity  Remember data may not be available  Start from processes that are stable and from which data can be realistically obtained

14 © Almerindo Graziano References NIST-SP 800-80 Guide for Developing Performance Metrics for Information Security (2006)‏  Metrics templates and examples NIST SP 800-55 Security Metrics Guide for Information Technology Systems (2003)‏  Security Metrics Programme, sample IT security metrics Humphreys T, Plate A 2006. Measuring the effectiveness of your ISMS implementations based on ISO/IEC 27001. British Standards Institution.  PDCA model, sample metrics Security Metrics portal 

Download ppt "© Almerindo Graziano Information Security Metrics."

Similar presentations

Ads by Google