Re: Mangement security report

[Pierre Cadieux <hobbit () theshire com>]

Hi Patrick,

This is a good initiative and I wish you luck, it can be difficult to 
get started, but the added visibility is critical.  Some suggestions:

Find out what your management is concerned about, and educate them on 
some of the things that concern you, hopefully you're on the same page 
or close.  If they are concerned with (for example) number of incidents 
over the past quarter, that would be a good place to start with as a 
statistic.

Keep things high level and targeted at your audience.  Not sure if this 
is technical management or business management, either way you don't 
want to go in to the details in your high level report, but make them 
aware you would be happy to discuss these further in detail as requested.

Depending on what services your security team provides, those could also 
be obvious things to present (if you have a security awareness program, 
how many people attended the last training, how many classes have been 
held so far in the year, if you have a service to assess all new 
applications or deployments, then you can show the number of projects 
that have been assessed, the number of items identified or remediated, 
etc.).

If you can, chart the progress you are making "up and to the right" 
business execs especially are used to seeing good news going in this 
direction, so even if you are (for example) reducing the number of 
vulnerable systems on your network, make the chart display the progress 
in a positive spin.

->Pierre



Patrick A Hendrick wrote:
> I know this has come across this list before, but I would appreciate 
> any feedback. I want to begin giving either monthly or quarterly 
> security reports to management. I'm curious if there are standards for 
> these types of reports, such as what should be included. I'm afraid 
> that I would get too detailed. What items do you recommend being in a 
> management security report?