|
|
| • EXCH RATES |
|
Baht/$ 33.84/87 (Bid/Ask)
|
GOLD |
12,900
+ 50
|
|
Leading THE WAY
PRICEWATERHOUSECOOPERS
Information security practitioners face a dilemma in assessing how well they do their job: When nothing happens, they have done as expected. But when something happens, the damage may be irreversible and they have done a poor job. So how can they assess their performance in a more practical, ongoing manner? The answer is "security metrics".
Security metrics help quantify and measure security operations, transforming policies into action and measuring performance. They facilitate decision-making and improve performance and accountability. They can help management decide where to invest and can identify nonproductive controls. But metrics have to be specific and measurable and must correlate with business risks.
Organisations need a long-term strategy for common information security effectiveness metrics. This includes translating objectives into quantifiable metrics, measuring the current state against these, and establishing targets in information security effectiveness.
However, despite the benefits of security metrics, 72% of 7,200 IT, security and business executives surveyed in 2007 by PwC didn't include them in their information security.
If your organisation is in this majority, we recommend you start by developing specific metrics for different audiences.
One audience could be the board of directors. Metrics for this audience could include: estimated loss from all security incidents; percentage of strategic partners or other third-parties for which security requirements have been implemented; and percentage of internal and external audit issues that have not been resolved.
For management, metrics could be around: security compliance reviews showing no violations; systems and application reviews in compliance with segregation of duties principles; and systems with unauthorised third party access. A further metric could be the time taken to resolve security incidents.
The technical audience metrics could revolve around: unpatched systems; systems with weak password policies; and machines affected by viruses.
The metrics should not be burdensome in quantity or measurement techniques. However, they must be quantifiable and broad range. All areas should be covered, including information security administration, monitoring, awareness, policy management and regulatory compliance.
Once the metrics are established, a baseline study should gather as many metrics as possible. Input could come from industry benchmarks or peer studies as well as from a survey of the company. Some metrics cannot be measured at this time. For instance, some metrics will require data that is not gathered or tracked. These areas should be noted and appropriate measurement procedures developed. The baseline study should result in a consolidated current state baseline of quantifiable measurements.
The baseline study's current state information will provide averages and typical attributes of information security activities. For each metric, a target range, where applicable, should be set. For instance, the target time for resolving security incidents may be eight to 24 hours. Some metrics, such as "number of viruses detected", will not have targets. These metrics and targets should be consolidated into a simple measurement and reporting process.
The final step is to communicate the new metrics to IT. The reporting process should be enhanced to include these metrics.
So how are these steps implemented in a real organisation? In one case study, the management of a large organisation wanted to know if data had been stolen and whether their systems had been accessed by unauthorised users. To help them assess this, a system was built to identify ways data could be leaked, and ways unauthorised access could be gained to their systems.
The security team worked to define how they would know if an incident had occurred. They developed quantifiable metrics for types of data leakage and unauthorised access including: attempted unauthorised access to critical systems; attempted unauthorised access by external users to protected network resources; attempted data leak through shared drives and databases; attempted data leaks via e-mail, instant messaging and USB.
To test the indicators, they captured data from their existing security information management system, data leakage protection and endpoint security tools. After the tests, they could define the input feed and interface frequencies linked to each incident type.
The survey results were then used as a baseline to compare against metrics from other sources. After testing their security system, they produced a risk report for management on a real-time basis. The metrics were then communicated to the IT section, which rolled out the system to the entire organisation.
As a result of this, the management team could measure security performance on a real-time basis and compare this against industry peers. This helped them realise the value of security investment, prioritising IT projects and creating better awareness of security issues among staff.
Security metrics report how well policies, standards and controls are functioning, and whether outcomes are achieved as planned. It is important to have metrics to help measure the business impact of security activities and events. What can't be measured can't be effectively managed.
-----
Vilaiporn Taweelappontong is a Partner at PricewaterhouseCoopers Mekong, which comprises offices in Thailand, Vietnam, Cambodia and Laos. For more information on our services, please visit http://www.pwc.com/th. We welcome your comments at leadingtheway@th.pwc.com
Prev
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Next
