Re: Executive IT Security Report

["Joel L. Rosenblatt" <joel () COLUMBIA EDU>]

Hi,

Here is my no so short answer :-)

http://www.educause.edu/ero/article/security-metrics-solution-search-problem

Enjoy!
Joel


Joel Rosenblatt, Director Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3


On Wed, Feb 4, 2015 at 11:34 AM, Brad Judy <brad.judy () cu edu> wrote:
> I don’t have a great dashboard or template for you, but I’ll kick in my two
> cents on this type of reporting.
>
>
>
> 1.       Any metric must somehow be a meaningful representation of reducing
> some aspect of institutional risk.  If you can’t articulate how a metric
> makes a meaningful impact to institutional risk in a realistic way (no FUD,
> security theater, etc.) then don’t include it.
>
> 2.       Any metric must be something within either your direct control or
> influence
>
> a.       Never report on things that are mostly random number like “number
> of attacks” – such things ebb and flow and don’t demonstration your
> team/program’s effectiveness.  While some security reports talk about
> metrics like “time to detect an incident”, such a metric is a hybrid factor
> combining security monitoring and the sophistication of the attackers.  If
> all attacks were equal, it’s a measure of your security program, but they
> aren’t.
>
> b.      What is a metric that trends in a particular direction when your
> program/team is successful?  Do they have any projects/initiatives that have
> a good metric for progress towards a goal?
>
>                                                                i.
> Percentage of systems that meet a baseline security standard (within a
> realistic scope – maybe central IT servers or all servers)
>
>                                                              ii.
> Percentage of laptops with whole disk encryption
>
>                                                             iii.
> Percentage of systems/servers participating in X security effort (DLP,
> authenticated vulnerability scans, centralized logging, etc.)
>
>                                                            iv.      Number
> of PII records stored in the ERP system (if you have a goal of risk
> reduction via data reduction)
>
>                                                              v.
> Percentage of high/critical vulnerabilities patched or mitigated within your
> standard for patch window (may require fairly sophisticated config
> monitoring/management to measure accurately).
>
>
>
> Keep the list of metrics short and ensure each has a 2-3 sentence
> description of how it reflects institutional risk reduction in a tangible
> and realistic way.  Each should also note a goal level to achieve or
> maintain.
>
>
>
> Brad Judy
>
>
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dean Halter
> Sent: Wednesday, February 04, 2015 8:26 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Executive IT Security Report
>
>
>
> We are being asked to provide our senior management with a meaningful
> monthly report to demonstrate how we are doing currently and improvement
> over time with respect to IT security.  Have any of you identified a good
> set of metrics you use for this purpose?  If any of you have a report that
> you use for this purpose that you would be willing to share, it would be
> greatly appreciated.
>
>
>
> Thanks,
>
> Dean
>
> ___________
>
> Dean Halter, CISA, CISSP
>
> IT Risk Management Officer, UDit
>
> University of Dayton
>
>
>
> "Security is a process, not a product."  Bruce Schneier