Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Balanced Scorecard metrics for Information Security (Policy) group

From: James H Moore <jhmfa () RIT EDU>
Date: Tue, 6 Jun 2006 10:15:32 -0400
Our division (Finance and Administration) has adopted the "Balanced Scorecard" 
(http://www.balancedscorecard.org/basics/bsc1.html) as a management system.  
It has 4 main components:
*       The Learning and Growth Perspective 
<https://mymail.rit.edu/exchange/jhmfa/Drafts/RE:%20%5BSECURITY%5D%20Email%20formats.EML/learning.html>  
*       The Business Process Perspective 
<https://mymail.rit.edu/exchange/jhmfa/Drafts/RE:%20%5BSECURITY%5D%20Email%20formats.EML/process.html>  
*       The Customer Perspective 
<https://mymail.rit.edu/exchange/jhmfa/Drafts/RE:%20%5BSECURITY%5D%20Email%20formats.EML/customer.html>  
*       The Financial Perspective 
<https://mymail.rit.edu/exchange/jhmfa/Drafts/RE:%20%5BSECURITY%5D%20Email%20formats.EML/financial.html>  
 
I know that CIO magazine discussed its use in IT in an article in 2002. 
(http://www.cio.com/archive/051502/scorecard.html )
 
I am stuck.  Our office is primarily a strategy, policy and education office (with a small amount of risk assessment  
andinvestigations leadership)  -- 4 people incl 1 student worker..
 
I am trying to come up with meaningful metrics in these areas.  With education we can measure some customer 
satisfaction.  We can do some things (but I am not sure what, yet) with the Learning and Growth perspective from 
lessons learned from incidents.
 
I have been told that other universities are using the "Balanced Scorecard".  Anyone else in a like position willing to 
share their metrics?  Anyone not using balanced scorecard that is willing to share their security metrics?
 
Will summarize to this group.
 
Thanks,
 
Jim
 - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax) 

"We will have a chance when we are as efficient at communicating information security best practices, as hackers and 
criminals are at sharing attack information"  - Peter Presidio
Previous By Date Next
Previous By Thread Next

Current thread: