Security Basics mailing list archives
Re: Mangement security report
From: krymson () gmail com
Date: 13 Mar 2008 21:33:47 -0000
I would recommend browsing "Security Metrics: Replacing Fear, Uncertainty, and Doubt" by Andrew Jaquith [1]. There are some good chapters going over some security metrics and ways to present them to management teams. Scorecards are a great means to do this, or maybe scoring yourself against various standards that you need to be compliant with. One thing I think Andrew leaves out that might be putting FUD back into the equation is a reporting on the levels of attacks your network is experiencing, at least from the outside world. An IDS/IPS and even a firewall can help with this. I like this report only because it helps show that even if you're scoring A's across the board, you're not sitting in some quiet part of the Internet ocean and can ratchet down the security budgets. You're really stopping things and there really are risks. I include this only to give another idea for ya. [1] http://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/0321349989/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1205444668&sr=8-1 <- snip -> I know this has come across this list before, but I would appreciate any feedback. I want to begin giving either monthly or quarterly security reports to management. I'm curious if there are standards for these types of reports, such as what should be included. I'm afraid that I would get too detailed. What items do you recommend being in a management security report?
Current thread:
- Mangement security report Patrick A Hendrick (Mar 13)
- Re: Mangement security report Adam Pal (Mar 13)
- Re: Mangement security report Pierre Cadieux (Mar 13)
- <Possible follow-ups>
- Re: Mangement security report krymson (Mar 14)