Educause Security Discussion mailing list archives
Re: Executive IT Security Report
From: Wendy Wallman <wwallman () ROCHESTER RR COM>
Date: Wed, 4 Feb 2015 12:22:58 -0500
Vendor created PowerPoint template for "having the security conversation with your board" may be of help so you don't have to start from scratch http://www.skyhighnetworks.com/offers/tp-cloud-usage-for-board/ Sent from my iPhone
On Feb 4, 2015, at 11:34 AM, Brad Judy <brad.judy () CU EDU> wrote: I don’t have a great dashboard or template for you, but I’ll kick in my two cents on this type of reporting. 1. Any metric must somehow be a meaningful representation of reducing some aspect of institutional risk. If you can’t articulate how a metric makes a meaningful impact to institutional risk in a realistic way (no FUD, security theater, etc.) then don’t include it. 2. Any metric must be something within either your direct control or influence a. Never report on things that are mostly random number like “number of attacks” – such things ebb and flow and don’t demonstration your team/program’s effectiveness. While some security reports talk about metrics like “time to detect an incident”, such a metric is a hybrid factor combining security monitoring and the sophistication of the attackers. If all attacks were equal, it’s a measure of your security program, but they aren’t. b. What is a metric that trends in a particular direction when your program/team is successful? Do they have any projects/initiatives that have a good metric for progress towards a goal? i. Percentage of systems that meet a baseline security standard (within a realistic scope – maybe central IT servers or all servers) ii. Percentage of laptops with whole disk encryption iii. Percentage of systems/servers participating in X security effort (DLP, authenticated vulnerability scans, centralized logging, etc.) iv. Number of PII records stored in the ERP system (if you have a goal of risk reduction via data reduction) v. Percentage of high/critical vulnerabilities patched or mitigated within your standard for patch window (may require fairly sophisticated config monitoring/management to measure accurately). Keep the list of metrics short and ensure each has a 2-3 sentence description of how it reflects institutional risk reduction in a tangible and realistic way. Each should also note a goal level to achieve or maintain. Brad Judy From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dean Halter Sent: Wednesday, February 04, 2015 8:26 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Executive IT Security Report We are being asked to provide our senior management with a meaningful monthly report to demonstrate how we are doing currently and improvement over time with respect to IT security. Have any of you identified a good set of metrics you use for this purpose? If any of you have a report that you use for this purpose that you would be willing to share, it would be greatly appreciated. Thanks, Dean ___________ Dean Halter, CISA, CISSP IT Risk Management Officer, UDit University of Dayton "Security is a process, not a product." Bruce Schneier
Current thread:
- Executive IT Security Report Dean Halter (Feb 04)
- Re: Executive IT Security Report Bonnie Johnson (Feb 04)
- Re: Executive IT Security Report Sturgis, John (John Sturgis) (Feb 04)
- Re: Executive IT Security Report Brad Judy (Feb 04)
- Re: Executive IT Security Report Wendy Wallman (Feb 04)
- Re: Executive IT Security Report Joel L. Rosenblatt (Feb 04)
- Re: Executive IT Security Report Jim Dillon (Feb 04)
- Re: Executive IT Security Report David Earley (Feb 04)
- Re: Executive IT Security Report Gabriel A DeLeon (Feb 04)
- <Possible follow-ups>
- Re: Executive IT Security Report Dean Halter (Feb 05)