MANAGEMENT of INFORMATION SECURITY Fifth Edition PERFORMANCE MEASUREMENT

  • Slides: 27
Download presentation
MANAGEMENT of INFORMATION SECURITY, Fifth Edition

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

PERFORMANCE MEASUREMENT IN INFOSEC MANAGEMENT Management of Information Security, 5 th Edition, © Cengage

PERFORMANCE MEASUREMENT IN INFOSEC MANAGEMENT Management of Information Security, 5 th Edition, © Cengage Learning 2

Performance Measures in Info. Sec Management • While CISOs sometimes claim that the costs

Performance Measures in Info. Sec Management • While CISOs sometimes claim that the costs and benefits and performance of Info. Sec are almost impossible to measure, in fact they are measurable • Doing so requires the design and ongoing use of an Info. Sec performance management program based on effective performance metrics Management of Information Security, 5 th Edition, © Cengage Learning 3

Info. Sec Performance Management • Information security performance management is the process of designing,

Info. Sec Performance Management • Information security performance management is the process of designing, implementing and managing the use of the collected data elements (called measures or metrics) to determine the effectiveness of the overall security program • Performance measurements (or measures) are data points or computed trends that may indicate the effectiveness of security countermeasures or controls—technical and managerial—as implemented in the organization Management of Information Security, 5 th Edition, © Cengage Learning 4

 Info. Sec Performance Management • Organizations use three types of measurements: – Those

Info. Sec Performance Management • Organizations use three types of measurements: – Those that determine the effectiveness of the execution of Info. Sec policy (like ISSPs) – Those that determine the effectiveness and/or efficiency of the delivery of information security services – Those that assess the impact of an incident or other security event on the organization or its mission Management of Information Security, 5 th Edition, © Cengage Learning 5

Info. Sec Performance Management • According to NIST SP 800 -55 R 1 -

Info. Sec Performance Management • According to NIST SP 800 -55 R 1 - Performance Measurement Guide for Information Security, the following factors must be considered during development and implementation of an information security performance management program: – Measurements must yield quantifiable information (percentages, averages, and numbers) – Data that supports the measurements needs to be readily obtainable – Only repeatable information security processes should be considered for measurement – Measurements must be useful for tracking performance and directing resources Management of Information Security, 5 th Edition, © Cengage Learning 6

Info. Sec Performance Management • Also according to SP 800 -55 R. 1, four

Info. Sec Performance Management • Also according to SP 800 -55 R. 1, four factors are critical to the success of an information security performance program: – Strong upper level management support – Practical Info. Sec policies and procedures – Quantifiable performance measurements – Results-oriented measurement analysis Management of Information Security, 5 th Edition, © Cengage Learning 7

Info. Sec Performance Management • When an organization applies statistical and quantitative approaches of

Info. Sec Performance Management • When an organization applies statistical and quantitative approaches of mathematical analysis to the process of measuring the activities and outcomes of the Info. Sec program, it is using Info. Sec metrics • In some organizations, the terms metrics and measures are interchangeable. In others, the term “metrics” is used for more granular, detailed measurements, while the term “measurements” is used for aggregate, higherlevel results Management of Information Security, 5 th Edition, © Cengage Learning 8

Info. Sec Performance Management • Before beginning the process of designing, collecting, and using

Info. Sec Performance Management • Before beginning the process of designing, collecting, and using measures, the CISO should be prepared to answer the following questions: – Why should these measurements be collected? – What specific measurements will be collected? – How will these measurements be collected? – When will these measurements be collected? – Who will collect these measurements? – Where (at what point in the function’s process) will these measurements be collected? Management of Information Security, 5 th Edition, © Cengage Learning 9

Building the Performance Measurement Program • Even with strong management support, an information security

Building the Performance Measurement Program • Even with strong management support, an information security measures program as part of a security performance management program must be able to demonstrate value to the organization • One of the most popular among the many references that support the development of a process improvement and performance measures is the Capability Maturity Model Integrated (CMMI) from the CMMI Institute at Carnegie Mellon Management of Information Security, 5 th Edition, © Cengage Learning 10

Building the Performance Measures Program • Another popular approach is the NIST SP 800

Building the Performance Measures Program • Another popular approach is the NIST SP 800 - 55 R 1: Performance Measurement for Information Security. This process is divided into two major activities: – Identification and definition of the current Info. Sec program – Development and selection of specific measures to gauge the implementation, effectiveness, efficiency, and impact of the security controls Management of Information Security, 5 th Edition, © Cengage Learning 11

Info. Sec Measures Development Process Management of Information Security, 5 th Edition, © Cengage

Info. Sec Measures Development Process Management of Information Security, 5 th Edition, © Cengage Learning 12

Specifying Info. Sec Measurements • One of the critical tasks in the measurement process

Specifying Info. Sec Measurements • One of the critical tasks in the measurement process is to assess and quantify what will be measured • While Info. Sec planning and organizing activities may only require time estimates, you must obtain more detailed measurements when assessing the effort spent to complete production tasks and the time spent completing project tasks • Measurements collected from production statistics depend greatly on the number of systems and the number of users of those systems • Collecting measurements about project activities may be even more challenging, as the organization needs some mechanism to link the outcome of each project, in terms of loss control or risk reduction, to the resources consumed Management of Information Security, 5 th Edition, © Cengage Learning 13

Collecting Info. Sec Measures • Some thought must go into the processes used for

Collecting Info. Sec Measures • Some thought must go into the processes used for data collection and record keeping • Once the question of what to measure is answered, the how, when, where, and who questions of metrics collection must be addressed • Designing the collection process requires thoughtful consideration of the intent of the metric along with a thorough knowledge of how production services are delivered Management of Information Security, 5 th Edition, © Cengage Learning 14

Measurements Development Approach • One of the priorities in building an information security measurement

Measurements Development Approach • One of the priorities in building an information security measurement program is determining whether these measures will be macro-focus or micro-focus, or some combination thereof – Macro-focus measurements examine the performance of the overall security program – Micro-focus measurements examine the performance of an individual controller or group of controls within the information security program • What is important is that the measurements are specifically tied to individual Info. Sec goals and objectives Management of Information Security, 5 th Edition, © Cengage Learning 15

Measurement Prioritization and Selection • Because organizations seem to manage what they measure, it

Measurement Prioritization and Selection • Because organizations seem to manage what they measure, it is important to ensure that individual metrics are prioritized in the same manner as the processes they measure • This can be achieved with a simple low-, medium-, or high-priority ranking system, or a weighted scale approach, which would involve assigning values to each measure based on its importance in the overall information security program, and on the overall risk mitigation goals and the criticality of the systems • While there are literally hundreds of measurements that could be used, only those associated with appropriate-level priority activities should be incorporated Management of Information Security, 5 th Edition, © Cengage Learning 16

Establishing Performance Targets • Performance targets make it possible to define success in the

Establishing Performance Targets • Performance targets make it possible to define success in the security program • Many Info. Sec performance measurements targets are represented by a 100% target goal • Other types of performance measures, such as those used to determine relative effectiveness or efficiency or impact of information security on the organization’s goals, tend to be more subjective and require solid native and subjective reasoning • One of the fundamental challenges in Info. Sec performance measurement is defining effective security; in other words when is Info. Sec effective? Management of Information Security, 5 th Edition, © Cengage Learning 17

Performance Measurement Template and Instructions Management of Information Security, 5 th Edition, © Cengage

Performance Measurement Template and Instructions Management of Information Security, 5 th Edition, © Cengage Learning 18

Performance Measurement Template and Instructions Management of Information Security, 5 th Edition, © Cengage

Performance Measurement Template and Instructions Management of Information Security, 5 th Edition, © Cengage Learning 19

Performance Measurement Example Management of Information Security, 5 th Edition, © Cengage Learning 20

Performance Measurement Example Management of Information Security, 5 th Edition, © Cengage Learning 20

Examples of Possible Security Performance Measures • • • Percentage of the organization's information

Examples of Possible Security Performance Measures • • • Percentage of the organization's information systems budget devoted to information security Percentage of high vulnerabilities mitigated within organizationally defined time periods after discovery Percentage space of remote access points used to gain unauthorized access Percentage of information systems personnel that have received security training Average frequency of audit records review and analysis for inappropriate activity Percentage of new systems that have completed certification and accreditation prior to their implementation Percentage approved and implemented configuration changes identified in the latest automated baseline configuration Percentage of information systems that have conducted annual contingency plan testing Percentage of users with access to shared accounts Percentage of incidents reported within required time frame per applicable incident category Percentage of system components that undergo maintenance in accordance with formal maintenance schedules Management of Information Security, 5 th Edition, © Cengage Learning 21

Examples of Possible Security Performance Measures (cont) • Percentage of media that passes sanitization

Examples of Possible Security Performance Measures (cont) • Percentage of media that passes sanitization procedures testing • Percentage of physical security incidents allowing unauthorized entry into facilities containing information assets • Percentage of employees who are authorized access to information systems only after they sign an acknowledgment that they have read and understood the appropriate policies • Percentage of individual screened before being granted access to organizational information and information systems • Percentage of vulnerabilities remediated within organization- specified time frames • Percentage of system and service acquisition contracts that include security requirements and/or specifications • Percentage of mobile computers and devices that perform all cryptographic operations using organizationally specified cryptographic modules operating in approved modes of operations • Percentage of operating system vulnerabilities for which patches have been applied or that have been otherwise mitigated Management of Information Security, 5 th Edition, © Cengage Learning 22

Info. Sec Performance Measurement Implementation • Once developed, information security performance measurements must be

Info. Sec Performance Measurement Implementation • Once developed, information security performance measurements must be implemented and integrated into ongoing information security management operations • For the most part, it is insufficient to simply collect these measures once • Performance measurement is an ongoing, continuous improvement operation Management of Information Security, 5 th Edition, © Cengage Learning 23

NIST Info. Sec Performance Measurement Implementation • Phase 1—Prepare for data collection; identify, define,

NIST Info. Sec Performance Measurement Implementation • Phase 1—Prepare for data collection; identify, define, develop, and select Info. Sec measures • Phase 2—Collect data and analyze results; collect, aggregate, and consolidate metric data collection and compare measurements with targets (gap analysis) • Phase 3—Identify corrective actions; develop a plan to serve as the roadmap for closing the gap identified in Phase 2 • Phase 4—Develop the business case • Phase 5—Obtain resources; address the budgeting cycle for acquiring resources needed to implement remediation actions identified in Phase 3 • Phase 6—Apply corrective actions; close the gap by implementing the recommended corrective actions in the security program or in the security controls Management of Information Security, 5 th Edition, © Cengage Learning 24

Implementing the Info. Sec Measurement Program Management of Information Security, 5 th Edition, ©

Implementing the Info. Sec Measurement Program Management of Information Security, 5 th Edition, © Cengage Learning 25

Reporting Info. Sec Performance Measurements • In most cases, simply listing the measurements collected

Reporting Info. Sec Performance Measurements • In most cases, simply listing the measurements collected does not adequately convey their meaning • In addition, you must make decisions about how to present correlated metrics • The CISO must also consider to whom the results of the performance measures program should be disseminated, and how they should be delivered Management of Information Security, 5 th Edition, © Cengage Learning 26

Security Dashboard Management of Information Security, 5 th Edition, © Cengage Learning 27

Security Dashboard Management of Information Security, 5 th Edition, © Cengage Learning 27