© almerindo graziano information security metrics
TRANSCRIPT
© Almerindo Graziano
Information Security Metrics
© Almerindo Graziano
Why Measure Information Security
• Improve accountability for security• Better administer the “security” budget• Allow to measure success/failure of
investments made• Give a business value to security• Assess effectiveness of implemented processes,
procedure and controls• Standard Compliance (ISO 27001)
© Almerindo Graziano
Why Measure Information Security (2)
• Ability to isolate problems
• End up with data you can reuse :-)
• Benchmarking
• Ability to track the risk profile
• Show commitment to proactive information
security
© Almerindo Graziano
Security Metrics? What's That?
• Not shared understanding of:
• What they mean
• What we can/should measure
• How to define them
• What to do with the measurement
© Almerindo Graziano
Defining Security Metrics
Many definitions
Quantitative vs
Qualitative
Thinkers vs Feelers
Simple vs Complex
“Metrics are a system of parameters
or ways of quantitative and periodic
assessment of a process that is to be
measured, along with the procedures
to carry out such measurement and the
procedures for the interpretation of
the assessment in the light of previous
or comparable assessments
(Wikipedia)
“Monitor and measure
implementation effectiveness of
security controls within the context of
the security program” (NIST)
© Almerindo Graziano
Lots to Measure Here! Information Security
Management System Management Processes Business Processes Procedures Policies
Technical Controls
Level of Implementation
Effectiveness/Efficiency
Impact
User compliance
etc.
© Almerindo Graziano
Classification of Security Metrics NIST
Implementation, Effectiveness/Efficiency, Impact
17 security control families
Time dimension
BSI (ISO 27001)
Management controls, business processes, operational controls, technical controls, audits review and testing
11 control objectives
Implementation, Effectiveness and Performance
© Almerindo Graziano
Security Metrics for ISO 27001
© Almerindo Graziano
Developing Security Metrics I
1)Implementation Metrics
2)Effectiveness and Efficiency Metrics
3)Impact Metrics
What do we measure? Single Controls Multiple Controls
NIST
© Almerindo Graziano
Developing Security Metrics II
ISMS Metrics
Performance and Effectiveness
Not Implementation
Controls Metrics
Effectiveness and Implementation
Control or groups of controls
BSI-ISO27001
© Almerindo Graziano
What's in a Metric
© Almerindo Graziano
Conclusions...
Adopt a security metrics model (NIST/BSI)
Included definition
Support for metrics development and follow up What to measure
Not necessarily control specific
May aggregate more than one control according to
goals
Start with high-priority controls/goals first
Linked to business objectives (Involve stakeholders)
© Almerindo Graziano
...conclusions
Types of Metrics Implementation, effectiveness, efficiency and
impact
Implementation May be phased according to system's maturity
Remember data may not be available
Start from processes that are stable and from which data can be realistically obtained
© Almerindo Graziano
References NIST-SP 800-80 Guide for Developing Performance
Metrics for Information Security (2006) Metrics templates and examples
NIST SP 800-55 Security Metrics Guide for Information Technology Systems (2003) Security Metrics Programme, sample IT security metrics
Humphreys T, Plate A 2006. Measuring the effectiveness of your ISMS implementations based on ISO/IEC 27001. British Standards Institution. PDCA model, sample metrics
Security Metrics portal http://teaching.shu.ac.uk/aces/ag/securitymetrics/