E-Book, Englisch, 200 Seiten
Brotby, CISM Information Security Management Metrics
Erscheinungsjahr 2012
ISBN: 978-1-4200-5286-2
Verlag: Taylor & Francis
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
A Definitive Guide to Effective Security Monitoring and Measurement
E-Book, Englisch, 200 Seiten
ISBN: 978-1-4200-5286-2
Verlag: Taylor & Francis
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
Spectacular security failures continue to dominate the headlines despite huge increases in security budgets and ever-more draconian regulations. The 20/20 hindsight of audits is no longer an effective solution to security weaknesses, and the necessity for real-time strategic metrics has never been more critical.
Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement offers a radical new approach for developing and implementing security metrics essential for supporting business activities and managing information risk. This work provides anyone with security and risk management responsibilities insight into these critical security questions:
- How secure is my organization?
- How much security is enough?
- What are the most cost-effective security solutions?
- How secure is my organization?
You can’t manage what you can’t measure
This volume shows readers how to develop metrics that can be used across an organization to assure its information systems are functioning, secure, and supportive of the organization’s business objectives. It provides a comprehensive overview of security metrics, discusses the current state of metrics in use today, and looks at promising new developments. Later chapters explore ways to develop effective strategic and management metrics for information security governance, risk management, program implementation and management, and incident management and response.
The book ensures that every facet of security required by an organization is linked to business objectives, and provides metrics to measure it. Case studies effectively demonstrate specific ways that metrics can be implemented across an enterprise to maximize business benefit.
With three decades of enterprise information security experience, author Krag Brotby presents a workable approach to developing and managing cost-effective enterprise information security.
Zielgruppe
Anyone with security and risk management responsibilities
Autoren/Hrsg.
Fachgebiete
Weitere Infos & Material
Introduction
Governance
Metrics Overview
Defining Security
Is there a solution?
SECURITY METRICS OVERVIEW
Metrics and Objectives
Information Security
Security
Why the IT metric focus
Other assurance functions
Stakeholders
SECURITY METRICS
Security Program Effectiveness
Types of Metrics
Information Assurance / Security Metrics Classification
Monitoring vs. Metrics
CURRENT STATE OF SECURITY METRICS
Quantitative Measures and Metrics
Performance Metrics
Financial Metrics
Return on Security Investment (ROSI)
A new ROSI model
Security Attribute Evaluation Method (SAEM)
Cost-Effectiveness Analysis
Fault Tree Analysis
Value at Risk (VAR)
ALE / SLE
Other Value Metrics
Limitations of existing approaches
Qualitative Security Metrics
Cultural Metrics
Risk Management through Cultural Theory
The Competing Values Framework
Organizational Structure
WIND
STORM
Hybrid Approaches
Systemic Security Management
Balanced Scorecard
The SABSA Business Attributes Approach
Quality Metrics
Six Sigma
ISO 9000
Quality of Service (QOSS)
Maturity Level
Benchmarking
Standards
OCTAVE
METRICS DEVELOPMENTS
Statistical Modeling
Phase Transitions in Operational Risk
Adequate Capital and Stress Testing for Operational Risks
Functional correlation approach to operational risk in banking organizations
Systemic Security Management
Value at Risk Analysis
Factor Analysis of Information Risk (FAIR)
Risk Factor Analysis
Probabilistic Risk Assessment (PRA)
RELEVANCE
Problem Inertia
Correlating Metrics to Consequences
THE METRICS IMPERATIVE
Study of ROSI of Security Measures
Resource Allocation
Managing without Metrics
ATTRIBUTES OF GOOD METRICS
Metrics Objectives
Measurement Categories
How can it be measured?
What is being measured?
Why is it measured?
Who are the recipients?
What does it mean?
What action is required?
INFORMATION SECURITY GOVERNANCE
Security Governance Outcomes
Defining Security Objectives
Sherwood Applied Business Security Architecture (SABSA)
CobiT
ISO 27001
Capability Maturity Model
Metrics and Strategy
Governance Metrics
Strategic Alignment
Risk Management
Value Delivery
Resource Management
Performance Measurement
Assurance Process Integration (convergence)
METRICS DEVELOPMENT – A DIFFERENT APPROACH
Activities Requiring Metrics
INFORMATION SECURITY GOVERNANCE METRICS
Strategic Security Governance Decisions
Strategic Security Governance Decision Metrics
Security Governance Management Decisions
Strategic Direction
Ensuring Objectives are Achieved
Managing Risks Appropriately
Using Resources Responsibly
Security Governance Operational Decisions
INFORMATION SECURITY RISK MANAGEMENT
Information Security Risk Management Decisions
Information Security Risk Management Metrics
Criticality of assets
Sensitivity of assets
The nature and magnitude of impacts
Vulnerabilities
Threats
Probability of Compromise
Strategic initiatives and plans
Acceptable levels of risk and impact
Information Security Operational Risk Metrics
Internal Fraud
External Fraud
Employment Practices and Workplace Safety
Clients, Products & Business Practice
Damage to Physical Assets
Business Disruption & Systems Failures
Execution, Delivery & Process Management
INFORMATION SECURITY PROGRAM DEVELOPMENT METRICS
Program Development Management Metrics
Program Development Operational Metrics
INFORMATION SECURITY PROGRAM MANAGEMENT METRICS
Security Management Decision Support Metrics
CISO Responsibilities
CISO Decisions
Strategic alignment
Case Study
Risk Management
Metrics for Risk Management
Organizational risk tolerance
Resource valuation
Comprehensive risk assessment
Effectiveness of mitigation efforts
Assurance Process Integration
Value Delivery
Resource Management
Performance Measurement
Information Security Management Operational Decision Support Metrics
IT and Information Security Management
Compliance Metrics
Criticality and Sensitivity
Risk Exposure
The state of compliance
Case Study
Personnel Competence
Resource adequacy
Metrics Reliability
Procedure functionality, efficiency, and appropriateness
Strategic Performance Measures
Tactical Performance Measures
Key Control Effectiveness
Control Reliability
Control Failure
Management Effectiveness
INCIDENT MANAGEMENT AND RESPONSE
Incident Management Decision Support Metrics
CONCLUSIONS
APPENDIX A. METRICS CLASSIFICATIONS
IA Program Developmental Metrics
Support Metrics
Operational Metrics
Effectiveness Metrics
Metrics for Strength Assessment
Metrics for Features in Normal Circumstances
Metrics for Features in Abnormal Circumstances
Metrics for Weakness Assessment
APPENDIX B. CULTURAL WORLDVIEWS
Hierarchists
Egalitarians
Individualists
Fatalists
APPENDIX C. THE COMPETING VALUES FRAMEWORK
Vertical: Stability/Flexibility
The Competing Values map
Hierarchy
Market
Adhocracy
APPENDIX D. THE ORGANIZATION CULTURE ASSESSMENT INSTRUCTION (OCAI)
APPENDIX E. SABSA BUSINESS ATTRIBUTE METRICS
APPENDIX F. CAPABILITY MATURITY MODEL
