Re: Mangement security report

[krymson () gmail com]

I would recommend browsing "Security Metrics: Replacing Fear, Uncertainty, and Doubt" by Andrew Jaquith [1]. There are 
some good chapters going over some security metrics and ways to present them to management teams. Scorecards are a 
great means to do this, or maybe scoring yourself against various standards that you need to be compliant with.

One thing I think Andrew leaves out that might be putting FUD back into the equation is a reporting on the levels of 
attacks your network is experiencing, at least from the outside world. An IDS/IPS and even a firewall can help with 
this. I like this report only because it helps show that even if you're scoring A's across the board, you're not 
sitting in some quiet part of the Internet ocean and can ratchet down the security budgets. You're really stopping 
things and there really are risks. I include this only to give another idea for ya.


[1] 
http://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/0321349989/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1205444668&sr=8-1


<- snip ->
I know this has come across this list before, but I would appreciate any 
feedback. I want to begin giving either monthly or quarterly security 
reports to management. I'm curious if there are standards for these 
types of reports, such as what should be included. I'm afraid that I 
would get too detailed. What items do you recommend being in a 
management security report?