We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byWalker Pinchback
Modified over 4 years ago
© Almerindo Graziano Information Security Metrics
© Almerindo Graziano Why Measure Information Security Improve accountability for security Better administer the “security” budget Allow to measure success/failure of investments made Give a business value to security Assess effectiveness of implemented processes, procedure and controls Standard Compliance (ISO 27001)
© Almerindo Graziano Why Measure Information Security (2) Ability to isolate problems End up with data you can reuse :-) Benchmarking Ability to track the risk profile Show commitment to proactive information security
© Almerindo Graziano Security Metrics? What's That? Not shared understanding of: What they mean What we can/should measure How to define them What to do with the measurement
© Almerindo Graziano Defining Security Metrics Many definitions Quantitative vs Qualitative Thinkers vs Feelers Simple vs Complex “Metrics are a system of parameters or ways of quantitative and periodic assessment of a process that is to be measured, along with the procedures to carry out such measurement and the procedures for the interpretation of the assessment in the light of previous or comparable assessments (Wikipedia) “Monitor and measure implementation effectiveness of security controls within the context of the security program” (NIST)
© Almerindo Graziano Lots to Measure Here! Information Security Management System Management Processes Business Processes Procedures Policies Technical Controls Level of Implementation Effectiveness/Efficiency Impact User compliance etc.
© Almerindo Graziano Classification of Security Metrics NIST Implementation, Effectiveness/Efficiency, Impact 17 security control families Time dimension BSI (ISO 27001) Management controls, business processes, operational controls, technical controls, audits review and testing 11 control objectives Implementation, Effectiveness and Performance
© Almerindo Graziano Security Metrics for ISO 27001
© Almerindo Graziano Developing Security Metrics I 1)Implementation Metrics 2)Effectiveness and Efficiency Metrics 3)Impact Metrics What do we measure? Single Controls Multiple Controls NIS T
© Almerindo Graziano Developing Security Metrics II ISMS Metrics Performance and Effectiveness Not Implementation Controls Metrics Effectiveness and Implementation Control or groups of controls BSI- ISO27001
© Almerindo Graziano What's in a Metric
© Almerindo Graziano Conclusions... Adopt a security metrics model (NIST/BSI) Included definition Support for metrics development and follow up What to measure Not necessarily control specific May aggregate more than one control according to goals Start with high-priority controls/goals first Linked to business objectives (Involve stakeholders)
© Almerindo Graziano...conclusions Types of Metrics Implementation, effectiveness, efficiency and impact Implementation May be phased according to system's maturity Remember data may not be available Start from processes that are stable and from which data can be realistically obtained
© Almerindo Graziano References NIST-SP 800-80 Guide for Developing Performance Metrics for Information Security (2006) Metrics templates and examples NIST SP 800-55 Security Metrics Guide for Information Technology Systems (2003) Security Metrics Programme, sample IT security metrics Humphreys T, Plate A 2006. Measuring the effectiveness of your ISMS implementations based on ISO/IEC 27001. British Standards Institution. PDCA model, sample metrics Security Metrics portal http://teaching.shu.ac.uk/aces/ag/securitymetrics/
Needs Assessment A brief overview of needs assessment in the context of using ID to plan instructional programs.
Network and Information Security Report – ICTSB/NISSG Dr. Angelika Plate.
Establishing a standardised methodology to measure JEREMIE impact Álvaro Navarro Innovation and Development Agency of Andalusia, Spain Brussels, 20 th.
Methodologies for Assessing Social and Economic Performance in JESSICA Operations Gianni Carbonaro EIB - JESSICA and Investment Funds JESSICA Networking.
Project Appraisal Module 5 Session 6.
ISMS implementation and certification process overview
Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Agenda What is Compliance? Risk and Compliance Management
Developing a Risk-Based Information Security Program
International Telecommunication Union Developing a Cybersecurity Strategy that Supports National Policy Goals “Regional Arab Forum on Cybersecurity,” Giza.
Presentation by Rachel Su’a
Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005.
Course: e-Governance Project Lifecycle Day 1
Assistant Professor Dr. Aurangzeb Zulfiqar Khan Department of Management Sciences, COMSATS Institute of Information Technology, Islamabad, Pakistan 1 LECTURE.
New GAMP Good Practice Guide for Electronic Record and Signature Compliance Arthur D. Perez, Ph.D. Chairman, GAMP Americas.
Copyright 2005 CMMI and ITIL Alison Adams & Kieran Doyle.
RBM in the context of Operations and Programme and Project Management Material of the Technical Assistance Unit (TAU)
Dr. Julian Lo Consulting Director ITIL v3 Expert
ISO/IEC Winnie Chan BADM 559 Professor Shaw 12/15/2008.
Planning a measurement program What is a metrics plan? A metrics plan must describe the who, what, where, when, how, and why of metrics. It begins with.
© 2018 SlidePlayer.com Inc. All rights reserved.