Re: Executive IT Security Report

[Wendy Wallman <wwallman () ROCHESTER RR COM>]

Vendor created PowerPoint template for "having the security conversation with your board" may be of help so you don't 
have to start from scratch

http://www.skyhighnetworks.com/offers/tp-cloud-usage-for-board/

Sent from my iPhone

> On Feb 4, 2015, at 11:34 AM, Brad Judy <brad.judy () CU EDU> wrote:
>
> I don’t have a great dashboard or template for you, but I’ll kick in my two cents on this type of reporting. 
>  
> 1.       Any metric must somehow be a meaningful representation of reducing some aspect of institutional risk.  If 
> you can’t articulate how a metric makes a meaningful impact to institutional risk in a realistic way (no FUD, 
> security theater, etc.) then don’t include it. 
> 2.       Any metric must be something within either your direct control or influence
> a.       Never report on things that are mostly random number like “number of attacks” – such things ebb and flow and 
> don’t demonstration your team/program’s effectiveness.  While some security reports talk about metrics like “time to 
> detect an incident”, such a metric is a hybrid factor combining security monitoring and the sophistication of the 
> attackers.  If all attacks were equal, it’s a measure of your security program, but they aren’t.
> b.      What is a metric that trends in a particular direction when your program/team is successful?  Do they have 
> any projects/initiatives that have a good metric for progress towards a goal?
>                                                                i.      Percentage of systems that meet a baseline 
> security standard (within a realistic scope – maybe central IT servers or all servers)
>                                                              ii.      Percentage of laptops with whole disk encryption
>                                                             iii.      Percentage of systems/servers participating in 
> X security effort (DLP, authenticated vulnerability scans, centralized logging, etc.)
>                                                            iv.      Number of PII records stored in the ERP system 
> (if you have a goal of risk reduction via data reduction)
>                                                              v.      Percentage of high/critical vulnerabilities 
> patched or mitigated within your standard for patch window (may require fairly sophisticated config 
> monitoring/management to measure accurately).
>  
> Keep the list of metrics short and ensure each has a 2-3 sentence description of how it reflects institutional risk 
> reduction in a tangible and realistic way.  Each should also note a goal level to achieve or maintain. 
>  
> Brad Judy
>  
>  
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dean 
> Halter
> Sent: Wednesday, February 04, 2015 8:26 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Executive IT Security Report
>  
> We are being asked to provide our senior management with a meaningful monthly report to demonstrate how we are doing 
> currently and improvement over time with respect to IT security.  Have any of you identified a good set of metrics 
> you use for this purpose?  If any of you have a report that you use for this purpose that you would be willing to 
> share, it would be greatly appreciated.
>  
> Thanks, 
> Dean
> ___________
> Dean Halter, CISA, CISSP
> IT Risk Management Officer, UDit
> University of Dayton
>  
> "Security is a process, not a product."  Bruce Schneier