We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byWalker Pinchback
Modified over 2 years ago
© Almerindo Graziano Information Security Metrics
© Almerindo Graziano Why Measure Information Security Improve accountability for security Better administer the “security” budget Allow to measure success/failure of investments made Give a business value to security Assess effectiveness of implemented processes, procedure and controls Standard Compliance (ISO 27001)
© Almerindo Graziano Why Measure Information Security (2) Ability to isolate problems End up with data you can reuse :-) Benchmarking Ability to track the risk profile Show commitment to proactive information security
© Almerindo Graziano Security Metrics? What's That? Not shared understanding of: What they mean What we can/should measure How to define them What to do with the measurement
© Almerindo Graziano Defining Security Metrics Many definitions Quantitative vs Qualitative Thinkers vs Feelers Simple vs Complex “Metrics are a system of parameters or ways of quantitative and periodic assessment of a process that is to be measured, along with the procedures to carry out such measurement and the procedures for the interpretation of the assessment in the light of previous or comparable assessments (Wikipedia) “Monitor and measure implementation effectiveness of security controls within the context of the security program” (NIST)
© Almerindo Graziano Lots to Measure Here! Information Security Management System Management Processes Business Processes Procedures Policies Technical Controls Level of Implementation Effectiveness/Efficiency Impact User compliance etc.
© Almerindo Graziano Classification of Security Metrics NIST Implementation, Effectiveness/Efficiency, Impact 17 security control families Time dimension BSI (ISO 27001) Management controls, business processes, operational controls, technical controls, audits review and testing 11 control objectives Implementation, Effectiveness and Performance
© Almerindo Graziano Security Metrics for ISO 27001
© Almerindo Graziano Developing Security Metrics I 1)Implementation Metrics 2)Effectiveness and Efficiency Metrics 3)Impact Metrics What do we measure? Single Controls Multiple Controls NIS T
© Almerindo Graziano Developing Security Metrics II ISMS Metrics Performance and Effectiveness Not Implementation Controls Metrics Effectiveness and Implementation Control or groups of controls BSI- ISO27001
© Almerindo Graziano What's in a Metric
© Almerindo Graziano Conclusions... Adopt a security metrics model (NIST/BSI) Included definition Support for metrics development and follow up What to measure Not necessarily control specific May aggregate more than one control according to goals Start with high-priority controls/goals first Linked to business objectives (Involve stakeholders)
© Almerindo Graziano...conclusions Types of Metrics Implementation, effectiveness, efficiency and impact Implementation May be phased according to system's maturity Remember data may not be available Start from processes that are stable and from which data can be realistically obtained
© Almerindo Graziano References NIST-SP 800-80 Guide for Developing Performance Metrics for Information Security (2006) Metrics templates and examples NIST SP 800-55 Security Metrics Guide for Information Technology Systems (2003) Security Metrics Programme, sample IT security metrics Humphreys T, Plate A 2006. Measuring the effectiveness of your ISMS implementations based on ISO/IEC 27001. British Standards Institution. PDCA model, sample metrics Security Metrics portal http://teaching.shu.ac.uk/aces/ag/securitymetrics/
Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.
Measuring Information Security Risk Metricon 1 1 August 2006 Bob Blakley
Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005.
© 2012 ISO27k Forum. ISO Roadmap © 2012 ISO27k Forum ISO27001 ISO27001 formally specifies how to establish an Information Security Management.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Copyright 2005 CMMI and ITIL Alison Adams & Kieran Doyle.
© 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC Standard for Information Security Management Systems.
ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
ISO Presented by : Miss Vrindah Chaundee. Agenda Overview of ISO Series History Why apply ISO 27000? Areas in ISO Statistics Examples.
ISO17799 / BS ISO / BS Introduction Information security has always been a major challenge to most organizations. Computer infections.
Introduction to the ISO series ISO – principles and vocabulary (in development) ISO – ISMS requirements (BS7799 – Part 2) ISO –
Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition.
Evaluation methods and tools (Focus on delivery mechanism) Jela Tvrdonova, 2014.
GRC - GOVERNANCE, RISK MANAGEMENT, AND COMPLIANCE.
1 Project Appraisal Module 5 Session 6. 2 Summary This session will introduce dimensions of project appraisal, including: issues of social acceptability/desirability,
Establishing a standardised methodology to measure JEREMIE impact Álvaro Navarro Innovation and Development Agency of Andalusia, Spain Brussels, 20 th.
BS 7799 Presentation by Rachel Su’a. Agenda Define BS 7799 Brainstorming Exercise Nuts and Bolts How It Works: BS 7799 Certification A Real World Example.
Needs Assessment A brief overview of needs assessment in the context of using ID to plan instructional programs.
The benefits of providing an effective programme and project support function Whied Latif Andrew Platt.
Planning a measurement program What is a metrics plan? A metrics plan must describe the who, what, where, when, how, and why of metrics. It begins with.
Risk Assessment By: Ashwin Vignesh Madhu. Overview ● Objective ● Introduction ● Risk Risk Management Cycle ● RA Methodologies CRAMM COBRA RuSecure.
Agenda What is Compliance? Risk and Compliance Management What is a Framework? ISO 27001/27002 Overview Audit and Remediate Improve and Automate.
Managing Market Risk. Board of Directors The Boards defines –Market risk –Management policies –Procedures –Prudential risk limits –Review mechanisms –Reporting.
ISO 9000 and Total Quality: The Relationship Eng. Basel F. Qandeel.
Overview: Different controls in an organization Relationship between IT controls & financial controls The Mega Process Leads Application of COBIT.
1 RBM Background Development aid is often provided on a point to point basis with no consistency with countries priorities. Development efforts are often.
Audit Planning Process. Strategic/tactical audit planning Engagement letter Risk assessment Preliminary evaluation of internal controls Audit plan, program.
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
ISMS Implementation Workshop Adaptive Processes Consulting Pvt. Ltd.
New GAMP Good Practice Guide for Electronic Record and Signature Compliance Arthur D. Perez, Ph.D. Chairman, GAMP Americas.
Implementation Approach to IT Service Management (ISO 20000) & Security Management (ISO 27001) Dr. Julian Lo Consulting Director ITIL v3 Expert.
Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.
CMMI Overview Quality Frameworks. Slide 2 of 146 Outline Introduction High level overview of CMMI Questions and comments.
Uncertainty management in Statoil (Risk and opportunity management) NSP 18 September 2001.
Quality Management Process Model Continual improvement of the quality management system Customer Requirements Satisfaction Management responsibility Resource.
The Basics of OHSAS Occupational Health & Safety Management System © 2010
Regional Policy EXCHANGES OF INFORMATION BETWEEN THE M EMBER S TATE AND THE C OMMISSION (SFC2014) 22nd Meeting of the Expert Group on Delegated and Implementing.
Network and Information Security Report – ICTSB/NISSG Dr. Angelika Plate.
V1.2 D R. M ARK F LEMING CN P ROFESSOR OF S AFETY C ULTURE S AINT M ARY ’ S U NIVERSITY MARK. SMU. CA F ROM SURVEYS TO MATURITY MODELS M Y 20.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Measuring Results of Improvement Actions Márcio Rodrigues, Tallin, 13/01/2015.
CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 5 Tom Olzak, MBA, CISSP.
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Software process improvement Framework for SPI SPI support groups, maturity and immaturity models Assessment and gap analysis Education and training Selection.
Introduction to Software Engineering LECTURE 2 By Umm-e-Laila 1Compiled by: Umm-e-Laila.
1 MISA Model Douglas Petry Manager Information Security Architecture Methodist Health System Managed Information Security.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
RBM in the context of Operations and Programme and Project Management Material of the Technical Assistance Unit (TAU)
© 2017 SlidePlayer.com Inc. All rights reserved.