Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Almerindo Graziano Information Security Metrics.

Published byWalker Pinchback Modified over 9 years ago

Similar presentations

Presentation on theme: "© Almerindo Graziano Information Security Metrics."— Presentation transcript:

1 © Almerindo Graziano Information Security Metrics

2 © Almerindo Graziano Why Measure Information Security Improve accountability for security Better administer the “security” budget Allow to measure success/failure of investments made Give a business value to security Assess effectiveness of implemented processes, procedure and controls Standard Compliance (ISO 27001)‏

3 © Almerindo Graziano Why Measure Information Security (2)‏ Ability to isolate problems End up with data you can reuse :-)‏ Benchmarking Ability to track the risk profile Show commitment to proactive information security

4 © Almerindo Graziano Security Metrics? What's That? Not shared understanding of: What they mean What we can/should measure How to define them What to do with the measurement

5 © Almerindo Graziano Defining Security Metrics Many definitions  Quantitative vs Qualitative  Thinkers vs Feelers  Simple vs Complex “Metrics are a system of parameters or ways of quantitative and periodic assessment of a process that is to be measured, along with the procedures to carry out such measurement and the procedures for the interpretation of the assessment in the light of previous or comparable assessments (Wikipedia)‏ “Monitor and measure implementation effectiveness of security controls within the context of the security program” (NIST)‏

6 © Almerindo Graziano Lots to Measure Here! Information Security Management System Management Processes Business Processes Procedures Policies Technical Controls Level of Implementation Effectiveness/Efficiency Impact User compliance etc.

7 © Almerindo Graziano Classification of Security Metrics NIST  Implementation, Effectiveness/Efficiency, Impact  17 security control families  Time dimension BSI (ISO 27001)‏  Management controls, business processes, operational controls, technical controls, audits review and testing  11 control objectives  Implementation, Effectiveness and Performance

8 © Almerindo Graziano Security Metrics for ISO 27001

9 © Almerindo Graziano Developing Security Metrics I 1)Implementation Metrics 2)Effectiveness and Efficiency Metrics 3)Impact Metrics What do we measure? Single Controls Multiple Controls NIS T

10 © Almerindo Graziano Developing Security Metrics II ISMS Metrics  Performance and Effectiveness  Not Implementation Controls Metrics  Effectiveness and Implementation  Control or groups of controls BSI- ISO27001

11 © Almerindo Graziano What's in a Metric

12 © Almerindo Graziano Conclusions... Adopt a security metrics model (NIST/BSI)‏  Included definition  Support for metrics development and follow up What to measure  Not necessarily control specific  May aggregate more than one control according to goals  Start with high-priority controls/goals first  Linked to business objectives (Involve stakeholders)‏

13 © Almerindo Graziano...conclusions Types of Metrics  Implementation, effectiveness, efficiency and impact Implementation  May be phased according to system's maturity  Remember data may not be available  Start from processes that are stable and from which data can be realistically obtained

14 © Almerindo Graziano References NIST-SP 800-80 Guide for Developing Performance Metrics for Information Security (2006)‏  Metrics templates and examples NIST SP 800-55 Security Metrics Guide for Information Technology Systems (2003)‏  Security Metrics Programme, sample IT security metrics Humphreys T, Plate A 2006. Measuring the effectiveness of your ISMS implementations based on ISO/IEC 27001. British Standards Institution.  PDCA model, sample metrics Security Metrics portal  http://teaching.shu.ac.uk/aces/ag/securitymetrics/

Download ppt "© Almerindo Graziano Information Security Metrics."

Similar presentations

Concept of Managing for Development Results- MfDR T.M.Jayasekera, B Sc Eng., MBA, C Eng, FIE, FIM, FCIWEM, MSLIM, MSLITAD National Consultant-UNDP TA on.

Concept of Managing for Development Results- MfDR T.M.Jayasekera, B Sc Eng., MBA, C Eng, FIE, FIM, FCIWEM, MSLIM, MSLITAD National Consultant-UNDP TA on.
Needs Assessment A brief overview of needs assessment in the context of using ID to plan instructional programs.

Needs Assessment A brief overview of needs assessment in the context of using ID to plan instructional programs.
Network and Information Security Report – ICTSB/NISSG Dr. Angelika Plate.

Network and Information Security Report – ICTSB/NISSG Dr. Angelika Plate.
Establishing a standardised methodology to measure JEREMIE impact Álvaro Navarro Innovation and Development Agency of Andalusia, Spain Brussels, 20 th.

Establishing a standardised methodology to measure JEREMIE impact Álvaro Navarro Innovation and Development Agency of Andalusia, Spain Brussels, 20 th.
Methodologies for Assessing Social and Economic Performance in JESSICA Operations Gianni Carbonaro EIB - JESSICA and Investment Funds JESSICA Networking.

Methodologies for Assessing Social and Economic Performance in JESSICA Operations Gianni Carbonaro EIB - JESSICA and Investment Funds JESSICA Networking.
Project Appraisal Module 5 Session 6.

Project Appraisal Module 5 Session 6.
ISMS implementation and certification process overview

ISMS implementation and certification process overview
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Agenda What is Compliance? Risk and Compliance Management

Agenda What is Compliance? Risk and Compliance Management
Developing a Risk-Based Information Security Program

Developing a Risk-Based Information Security Program
Presentation by Rachel Su’a

Presentation by Rachel Su’a
Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005.

Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005.
New GAMP Good Practice Guide for Electronic Record and Signature Compliance Arthur D. Perez, Ph.D. Chairman, GAMP Americas.

New GAMP Good Practice Guide for Electronic Record and Signature Compliance Arthur D. Perez, Ph.D. Chairman, GAMP Americas.
Copyright 2005 CMMI and ITIL Alison Adams & Kieran Doyle.

Copyright 2005 CMMI and ITIL Alison Adams & Kieran Doyle.
RBM in the context of Operations and Programme and Project Management Material of the Technical Assistance Unit (TAU)

RBM in the context of Operations and Programme and Project Management Material of the Technical Assistance Unit (TAU)
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
ISO/IEC 27001 Winnie Chan BADM 559 Professor Shaw 12/15/2008.

ISO/IEC Winnie Chan BADM 559 Professor Shaw 12/15/2008.
Planning a measurement program What is a metrics plan? A metrics plan must describe the who, what, where, when, how, and why of metrics. It begins with.

Planning a measurement program What is a metrics plan? A metrics plan must describe the who, what, where, when, how, and why of metrics. It begins with.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
CMMI Overview Quality Frameworks.

CMMI Overview Quality Frameworks.

Similar presentations

Ads by Google