Balanced Scorecard software - Strategy2act
[SOLUTIONS] [DOWNLOAD] [ORDERING] [SUPPORT] [PRESS] [PARTNERS] [TESTIMONIALS] [ABOUT US]

IT Balanced Scorecard - IT Security Metrics

Excel IT Security Scorecard with security metrics

IT Security Balanced Scorecard

We have designed a HR Balanced Scorecard in MS Excel, so now you can measure and control your performance using this popular business tool. Download trial version right now or visit home page with screenshots.

Implementation of IT security metrics enables the organizational management to analyze the IT systems technical, operational, and management controls performance.

Metrics Development and Implementation

Performance metrics are tools designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. IT security metrics are based on IT security performance goals and objectives, which state the desired results of a system security program implementation and identify practices defined by security policies and procedures. Overall, IT security metrics monitor the accomplishment of the goals and objectives by quantifying the level of implementation of the security controls and the effectiveness and efficiency of the controls, analyzing the adequacy of security activities and identifying possible improvement actions.

We share best "how-to" ideas:

 

Subscribe to Balanced Scorecard ideas newsletter provided for free by authors of Strategy2Act. You will have 1-2 emails every week with balanced scorecard ideas and tips.

 

Email:

The requirement to measure IT security performance is driven by regulatory, financial, and organizational reasons. A number of existing laws, rules, and regulations cite IT security performance measurement as a requirement. The results of an effective metric program can provide useful data for directing the allocation of information security resources and should simplify the preparation of performance-related reports. Besides, the process of data collection and reporting will enable the management to pinpoint specific technical, operational, or management controls that are not being implemented or are implemented incorrectly. Using the results of the metrics analysis, program managers and system owners can isolate problems, use collected data to justify investment requests, and then target investments specifically to the areas in need of improvement.

Security metrics with Strategy2Act
With Strategy2Act software we designed an IT Security Metrics, click to view sample full-screen

Also, available for free download:

Read below more about reports...

The metrics that are ultimately selected for implementation will be useful not only for measuring performance, identifying causes of unsatisfactory measurements, and pinpointing improvement areas, but also for facilitating continuous policy implementation, effecting security policy changes, and redefining goals and objectives. Once the measurement of security control implementation commences, subsequent measurements can be used to identify performance trends and ascertain whether the rate of implementation is appropriate. A specific frequency of each metric collection will depend on the life cycle of a measured event. For instance, a metric that pertains to crackable passwords should be collected at least monthly.

IT security metrics implementation consists of five stages: 

  1. IT security metrics identification, definition, and development; 

  2. Metrics data collection and results analysis; 

  3. Remediation actions identification; 

  4. Evaluation of necessary resources; 

  5. Technical, administrative and operational remediation activities.

 

We share best "how-to" ideas:

 

Subscribe to Balanced Scorecard ideas newsletter provided for free by authors of Strategy2Act. You will have 1-2 emails every week with balanced scorecard ideas and tips.

 

Email:

Identification of IT Security Metrics

The possibility of recovering files checklist

Measure the possibility of recovering files in your company:

1) You are using some file shredder +5;

2) You are running wipe free space weekly: +2;

3) File shredder wipes recycle bin files: +2;

4) File shredder wipes temporary files: +4;

5) File shredder wipes files over network: +2;

Your score:

0..5 - you should install any file shredder and use both - file shredder option and wipe free space option;

5..8 - you are protected well, but there are still some security holes that attackers can use;

8..14 - you are protected for 90%, it's good for home users, but we need more fore businesses;

15 - there is almost no chance to recover sensitive files. You and your business are really protected!

Tools

To wipe temporary files, wipe files over network and file files in recycle bin use a background mode file shredder - Shred Agent.   

During metrics development, goals and objectives from federal, internal, and external guidance, legislation, and regulations are identified and prioritized to ensure that the measurable aspects of security performance correspond to operational priorities of the organization. Security metrics must use the data that is readily obtainable, and yield quantifiable information (percentages, averages, and numbers).

National Institute of Standards and Technology published a report which identified 17 IT security topics affecting the security posture of an organization. These topics range from risk management and security controls assessment to personnel security, training and awareness to incident response capability and audit trails.

  • Risk Management measurements quantify the number of conducted system risk assessments and the degree of managerial involvement in the risk assessments procedures. Security Plan metrics quantify the percentage of systems with approved system security plans and the percentage of current system security plans. Security Controls metrics determine the efficiency of closing significant system weaknesses by evaluating the existence, the timeliness and effectiveness of a process for implementing corrective actions.
  • Personnel Security metrics quantify the percentage of users with special access to systems who have undergone background evaluations. Security Awareness metrics concern with the percentage of employees with significant security responsibilities who have received specialized training.
  • Data Integrity metrics quantify the percentage of systems with automatic virus definition updates and automatic virus scanning and the percentage of systems that perform password policy verification. Logical Access Controls metrics concern with the number of users with access to security software that are not security administrators. To ensure that personnel with access to security software have the appropriate skill sets and have undergone appropriate screening, no person should be allowed such access unless they are is designated as a security administrator. These metrics also include the percentage of systems running restricted protocols and the percentage of websites with a posted privacy policy (if an organization runs websites with public access).
  • Contingency Planning measurements include the percentage level of critical data files and operations with an established backup frequency as well as the percentage of systems that have a contingency plan. Incident Response Capability metrics quantify the percentage of agency components with incident handling and response capability and the number of incidents reported to FedCIRC, NIPC, and local law enforcement.
  • System Development Life Cycle metrics quantify the percentage of systems that are in compliance with the OMB requirement for integrating security costs into the system life cycle. Audit Trails metrics quantify the percentage of systems on which audit trails provide a trace of user actions.

The IT security metrics also include Authentication, Authorize Processing, Physical and Environmental Protection, Hardware and Systems Software Maintenance, Input/Output Controls and Documentation measurements.

After applicable metrics are identified and described, the appropriate performance targets should be identified. Performance targets establish a goal by which success is measured. The degree of success is based on the metric result’s proximity to the stated performance target.  

Strategy2Act reports

Let me give some clarification about all mentioned reports, metrics and Strategy2Act software.

1) In this article we have described the most popular and useful IT security metrics. There are many ways of how to use them. What we suggest are Security Metrics incorporated into balanced scorecard. In this way you can connect your future security measures with your company security strategy.

We share best "how-to" ideas:

 

Subscribe to Balanced Scorecard ideas newsletter provided for free by authors of Strategy2Act. You will have 1-2 emails every week with balanced scorecard ideas and tips.

 

Email:

2) Security Metrics Balanced Scorecard is a tree of security metrics, that you can see at this screeenshot. This is how this balanced scorecard looks in our Strategy2Act software. 

3) You can design your own security metrics tree or use suggested in sample files, then you will have a Strategy Tree report. That shows all metrics and describe the measurement way.

4) Security experts can work with Strategy2Act software to do a real audit of your security. They can use Strategy2Act to assign their score for metrics. Once expert did this, he or she can generate a Scorecard report, which includes expert's scores together with total score (see "74 of 100" total score).

5) Also, two more report types are available. Full Report combines both - security metrics and experts scores. Report for PDA is a modified report that you can upload to your PDA to read it later.

6) If you want to design your own IT security metrics scorecard or invite expert to evaluate your company security in compliance with your security strategy tree, then you will need trategy2Act files, here is download URL: Security Metrics Balanced Scorecard (already included in Strategy2act download package). 

  • To open these file you will need a Strategy2Act software. You can download it from www.strategy2act.com

  • To open a sample Security Metrics double click on "Sample Company Security Check.bscs" (recommended)

  • To open a IT Security Strategy tree file click on "IT Security Metrics strategy tree.bsct" (it's a template for your own balanced scorecard)

  • Remember that all these downloads are for evaluation purposes only, if you wish to use it in your business, please, purchase an appropriate number of licenses. 

Strategy2Act

We have designed software product that can leverage your productivity with balanced scorecard technique.

Made in Devoler