IT Balanced Scorecard - IT
Security Metrics
Excel IT Security Scorecard with
security metrics
|
We have
designed a HR Balanced Scorecard in MS Excel, so now you can measure
and control your performance using this popular business tool.
Download
trial version right now
or visit
home page with screenshots. |
Implementation
of IT security metrics enables the organizational management to analyze
the IT systems technical, operational, and management controls
performance.
Metrics
Development and Implementation
Performance
metrics are tools designed to facilitate decision making and improve
performance and accountability through collection, analysis, and
reporting of relevant performance-related data. IT security metrics are
based on IT security performance goals and objectives, which state the
desired results of a system security program implementation and identify
practices defined by security policies and procedures. Overall, IT
security metrics monitor the accomplishment of the goals and objectives
by quantifying the level of implementation of the security controls and
the effectiveness and efficiency of the controls, analyzing the adequacy
of security activities and identifying possible improvement actions.
We share best "how-to" ideas: |
|
The
requirement to measure IT security performance is driven by regulatory,
financial, and organizational reasons. A number of existing laws, rules,
and regulations cite IT security performance measurement as a
requirement. The results of an effective metric program can provide
useful data for directing the allocation of information security
resources and should simplify the preparation of performance-related
reports. Besides, the process of data collection and reporting will
enable the management to pinpoint specific technical, operational, or
management controls that are not being implemented or are implemented
incorrectly. Using the results of the metrics analysis, program managers
and system owners can isolate problems, use collected data to justify
investment requests, and then target investments specifically to the
areas in need of improvement.
|
With Strategy2Act software we designed
an IT Security Metrics, click to view
sample full-screen.
Also, available for free download:
Read below more about
reports... |
The
metrics that are ultimately selected for implementation will be useful
not only for measuring performance, identifying causes of unsatisfactory
measurements, and pinpointing improvement areas, but also for
facilitating continuous policy implementation, effecting security policy
changes, and redefining goals and objectives. Once the measurement of
security control implementation commences, subsequent measurements can
be used to identify performance trends and ascertain whether the rate of
implementation is appropriate. A specific frequency of each metric
collection will depend on the life cycle of a measured event. For
instance, a metric that pertains to crackable passwords should be
collected at least monthly.
IT
security metrics implementation consists of five stages:
-
IT security
metrics identification, definition, and development;
-
Metrics data
collection and results analysis;
-
Remediation actions identification;
-
Evaluation of necessary resources;
-
Technical, administrative and
operational remediation activities.
We share best "how-to" ideas: |
|
Identification
of IT Security Metrics
The possibility of recovering files
checklist
Measure the possibility of recovering files in your company:
1) You are using some file shredder +5;
2) You are running wipe free space weekly: +2;
3) File shredder wipes recycle bin files: +2;
4) File shredder wipes temporary files: +4;
5) File shredder wipes files over network: +2;
Your score:
0..5 - you should install any file shredder and use both - file
shredder option and wipe free space option;
5..8 - you are protected well, but there are still some
security holes that attackers can use;
8..14 - you are protected for 90%, it's good for home users,
but we need more fore businesses;
15 - there is almost no chance to recover sensitive files. You
and your business are really protected!
Tools
To wipe temporary files, wipe files over network and file files
in recycle bin use a background
mode file shredder - Shred Agent. |
During
metrics development, goals and objectives from federal, internal, and
external guidance, legislation, and regulations are identified and
prioritized to ensure that the measurable aspects of security
performance correspond to operational priorities of the organization.
Security metrics must use the data that is readily obtainable, and yield
quantifiable information (percentages, averages, and numbers).
National
Institute of Standards and Technology published a report which
identified 17 IT security topics affecting the security posture of an
organization.
These topics range from risk management and security controls assessment
to personnel security, training and awareness to incident response
capability and audit trails.
- Risk Management measurements quantify the number of conducted system risk
assessments and the degree of managerial involvement in the risk
assessments procedures. Security
Plan metrics quantify the percentage of systems with approved
system security plans and the percentage of current system security
plans. Security Controls
metrics determine the efficiency of closing significant system
weaknesses by evaluating the existence, the timeliness and
effectiveness of a process for implementing corrective actions.
- Personnel Security metrics quantify the percentage of users with special access to
systems who have undergone background evaluations. Security Awareness metrics concern with the percentage of
employees with significant security responsibilities who have
received specialized training.
- Data Integrity metrics quantify the percentage of systems with automatic virus
definition updates and automatic virus scanning and the percentage
of systems that perform password policy verification. Logical Access Controls metrics concern with the number of
users with access to security software that are not security
administrators. To ensure that personnel with access to security
software have the appropriate skill sets and have undergone
appropriate screening, no person should be allowed such access
unless they are is designated as a security administrator. These
metrics also include the percentage of systems running restricted
protocols and the percentage of websites with a posted privacy
policy (if an organization runs websites with public access).
- Contingency Planning measurements include the percentage level of critical data files
and operations with an established backup frequency as well as the
percentage of systems that have a contingency plan. Incident Response Capability metrics quantify the percentage of
agency components with incident handling and response capability and
the number of incidents reported to FedCIRC, NIPC, and local law
enforcement.
- System Development Life Cycle
metrics quantify the percentage of systems that are in compliance
with the OMB requirement for integrating security costs into the
system life cycle. Audit Trails metrics quantify the percentage of systems on
which audit trails provide a trace of user actions.
The IT
security metrics also include Authentication,
Authorize Processing, Physical
and Environmental Protection,
Hardware and Systems Software Maintenance, Input/Output
Controls and Documentation measurements.
After
applicable metrics are identified and described, the appropriate
performance targets should be identified. Performance targets establish
a goal by which success is measured. The degree of success is based on
the metric result’s proximity to the stated performance target.
Strategy2Act
reports
Let me give some clarification about all mentioned reports,
metrics and Strategy2Act software.
1) In this article we have described the most popular and
useful IT security metrics. There are many ways of how to use them. What
we suggest are Security Metrics incorporated into balanced scorecard. In
this way you can connect your future security measures with your company
security strategy.
We share best "how-to" ideas: |
|
2) Security Metrics Balanced Scorecard is a tree of
security metrics, that you can see at this screeenshot.
This is how this balanced scorecard looks in our Strategy2Act
software.
3) You can design your own security metrics tree or use
suggested in sample files, then you will have a Strategy
Tree report. That shows all metrics and describe the measurement
way.
4) Security experts can work with Strategy2Act software to
do a real audit of your security. They can use Strategy2Act to assign
their score for metrics. Once expert did this, he or she can generate a Scorecard
report, which includes expert's scores together with total score
(see "74 of 100" total score).
5) Also, two more report types are available. Full
Report combines both - security metrics and experts scores. Report
for PDA is a modified report that you can upload to your PDA to read
it later.
6) If you want to design your own IT security metrics
scorecard or invite expert to evaluate your company security in compliance
with your security strategy tree, then you will need trategy2Act files,
here is download URL: Security
Metrics Balanced Scorecard (already included in Strategy2act
download package).
-
To open these file you will need a Strategy2Act software. You can download it from
www.strategy2act.com
-
To open a sample Security Metrics double click on "Sample Company Security Check.bscs" (recommended)
-
To open a IT Security Strategy tree file click on "IT Security Metrics strategy tree.bsct" (it's a template for your own balanced scorecard)
-
Remember that all these downloads are for evaluation
purposes only, if you wish to use it in your business, please,
purchase an appropriate number of licenses.
Strategy2Act
We have designed software product that can
leverage your productivity with balanced scorecard technique.
|