Educause Security Discussion mailing list archives

Re: Executive IT Security Report

From: "Sturgis, John (John Sturgis)" <jsturgis () UTK EDU>
Date: Wed, 4 Feb 2015 16:28:59 +0000

Hi Dean,

I’m a big fan of maturity modeling combined with routine reporting. I’ve found senior management begins asking the 
right questions when they notice that one team/unit/silo is making more or less progress than others over time. This 
approach is best suited for a distributed/comparative environment.

If you’re able to roughly map your control sets to NIST areas, you may find their approach to measuring security 
program maturity helpful:
- NISTIR 7358, Program Review for Information Security Management Assistance (PRISMA) 
[http://www.nist.gov/customcf/get_pdf.cfm?pub_id=5090]

Additional resources that others on this list have recommended include:
- National Association of Corporate Directors (NACD) Cyber-Risk Oversight Handbook [http://www.nacdonline.org/cyber]
- IT and cybersecurity oversight 
[http://www.pwc.com/us/en/corporate-governance/annual-corporate-directors-survey/information-technology-cybersecurity-oversight.jhtml]
- KPMG Cyber Risk Areas of Focus for the Audit Committee 
[http://www.kpmg-institutes.com/institutes/aci/articles/2014/04/cyber-risk-areas-of-focus-for-the-audit-committee.html]
- Information Security Resources for Presidents and Senior Executives 
[http://www.educause.edu/library/resources/resources-presidents-and-senior-executives-information-security]
- Educause article, Cybersecurity: When Will We Know If What We Are Doing Is Working? 
[http://www.educause.edu/ero/article/cybersecurity-when-will-we-know-if-what-we-are-doing-working]
- CIS Quick Start Guide for CIS Consensus Security Metrics v1.0.0, 
[http://benchmarks.cisecurity.org/downloads/show-single/?file=metrics_guide.100]

I for one would love to see your finished product!

John P. Sturgis
Office of Audit and Compliance
The University of Tennessee


On Feb 4, 2015, at 10:26 AM, Dean Halter <dean.halter () NOTES UDAYTON EDU<mailto:dean.halter () NOTES UDAYTON EDU>> 
wrote:

We are being asked to provide our senior management with a meaningful monthly report to demonstrate how we are doing 
currently and improvement over time with respect to IT security.  Have any of you identified a good set of metrics you 
use for this purpose?  If any of you have a report that you use for this purpose that you would be willing to share, it 
would be greatly appreciated.

Thanks,
Dean
___________
Dean Halter, CISA, CISSP
IT Risk Management Officer, UDit
University of Dayton

"Security is a process, not a product."  Bruce Schneier

Current thread:

Executive IT Security Report Dean Halter (Feb 04)
- Re: Executive IT Security Report Bonnie Johnson (Feb 04)
- Re: Executive IT Security Report Sturgis, John (John Sturgis) (Feb 04)
- Re: Executive IT Security Report Brad Judy (Feb 04)
  - Re: Executive IT Security Report Wendy Wallman (Feb 04)
  - Re: Executive IT Security Report Joel L. Rosenblatt (Feb 04)
  - Re: Executive IT Security Report Jim Dillon (Feb 04)
    - Re: Executive IT Security Report David Earley (Feb 04)
- Re: Executive IT Security Report Gabriel A DeLeon (Feb 04)
- <Possible follow-ups>
- Re: Executive IT Security Report Dean Halter (Feb 05)