Educause Security Discussion mailing list archives
Re: Executive IT Security Report
From: "Sturgis, John (John Sturgis)" <jsturgis () UTK EDU>
Date: Wed, 4 Feb 2015 16:28:59 +0000
Hi Dean, I’m a big fan of maturity modeling combined with routine reporting. I’ve found senior management begins asking the right questions when they notice that one team/unit/silo is making more or less progress than others over time. This approach is best suited for a distributed/comparative environment. If you’re able to roughly map your control sets to NIST areas, you may find their approach to measuring security program maturity helpful: - NISTIR 7358, Program Review for Information Security Management Assistance (PRISMA) [http://www.nist.gov/customcf/get_pdf.cfm?pub_id=5090] Additional resources that others on this list have recommended include: - National Association of Corporate Directors (NACD) Cyber-Risk Oversight Handbook [http://www.nacdonline.org/cyber] - IT and cybersecurity oversight [http://www.pwc.com/us/en/corporate-governance/annual-corporate-directors-survey/information-technology-cybersecurity-oversight.jhtml] - KPMG Cyber Risk Areas of Focus for the Audit Committee [http://www.kpmg-institutes.com/institutes/aci/articles/2014/04/cyber-risk-areas-of-focus-for-the-audit-committee.html] - Information Security Resources for Presidents and Senior Executives [http://www.educause.edu/library/resources/resources-presidents-and-senior-executives-information-security] - Educause article, Cybersecurity: When Will We Know If What We Are Doing Is Working? [http://www.educause.edu/ero/article/cybersecurity-when-will-we-know-if-what-we-are-doing-working] - CIS Quick Start Guide for CIS Consensus Security Metrics v1.0.0, [http://benchmarks.cisecurity.org/downloads/show-single/?file=metrics_guide.100] I for one would love to see your finished product! John P. Sturgis Office of Audit and Compliance The University of Tennessee On Feb 4, 2015, at 10:26 AM, Dean Halter <dean.halter () NOTES UDAYTON EDU<mailto:dean.halter () NOTES UDAYTON EDU>> wrote: We are being asked to provide our senior management with a meaningful monthly report to demonstrate how we are doing currently and improvement over time with respect to IT security. Have any of you identified a good set of metrics you use for this purpose? If any of you have a report that you use for this purpose that you would be willing to share, it would be greatly appreciated. Thanks, Dean ___________ Dean Halter, CISA, CISSP IT Risk Management Officer, UDit University of Dayton "Security is a process, not a product." Bruce Schneier
Current thread:
- Executive IT Security Report Dean Halter (Feb 04)
- Re: Executive IT Security Report Bonnie Johnson (Feb 04)
- Re: Executive IT Security Report Sturgis, John (John Sturgis) (Feb 04)
- Re: Executive IT Security Report Brad Judy (Feb 04)
- Re: Executive IT Security Report Wendy Wallman (Feb 04)
- Re: Executive IT Security Report Joel L. Rosenblatt (Feb 04)
- Re: Executive IT Security Report Jim Dillon (Feb 04)
- Re: Executive IT Security Report David Earley (Feb 04)
- Re: Executive IT Security Report Gabriel A DeLeon (Feb 04)
- <Possible follow-ups>
- Re: Executive IT Security Report Dean Halter (Feb 05)