Introduction:
Enterprises
have learnt to give Information Security (IS) the wide berth it deserves.
However, the realization has not come any sooner. It has perhaps been accorded
a little later in the day than it ought to have been. However, there is still
the opportunity to make good the delay by adopting a pro-active and holistic
approach while creating, maintaining and augmenting an Enterprise Information
Security (EIS) program. Key aspects of
such a program are:
·
Formulating a customised EIS strategy and road
map.
·
Its effective implementation in an integrated
manner.
·
Measuring effectiveness through customised EIS
metrics.
Plethora
of technology platforms, voluminous processes and significant numbers of people
are available and deployed in implementation of security programs in
enterprises, while scant attention is paid to the other two elements of the
spectrum. This paper focusses on the latter.
Security
strategy and metrics go hand in hand, and both are very dynamic in nature owing
to changing business requirements and threat landscape. Hence, there is a need
to understand their dependence and symbiotic nature, from creation of the
respective programs, to their execution and continuous improvement. It is also
pertinent to note that EIS metrics is a facet of EIS strategy. Thus, although
it is possible to create an EIS metrics program independently, it is best
practised with an eye on the big picture and created as an indispensable part
of a dynamic EIS strategy.
Why:
EIS
strategy is of paramount importance to align the EIS program with enterprise business
objectives and provide the necessary return on investments (RoI). In the
absence of an EIS strategy, the program can flounder and would not be
positioned to deliver the results that are expected of it; also there would be no
accountability of the program, hence no productivity.
There
are multiple reasons for measuring EIS metrics:
·
EIS metrics are vital to demonstrate EIS program
effectiveness, provide accountability, justify past investments and seek future
investments, and instil stakeholder confidence/assurance.
·
Federal agencies in US are mandated by a
number of existing laws, and regulations such as Clinger-Cohen Act, Government
Performance and Results Act (GPRA), Government Paperwork Elimination Act
(GPEA), and Federal Information Security Management Act (FISMA) to undertake IT
performance measurement in general, and IT security performance measurement in
particular. IT Security metrics are a core component of EIS metrics.
·
Similar regulatory regimes are prevalent in
most developed and developing economies globally.
How:
EIS
strategy should be simple. It should take into account the industry sector, the
size or revenue of the enterprise, its risk appetite, the business model and
its unique business objectives or goals.
EIS
metrics should be practical, standardised and scalable. They should evaluate
security at the system level, and facilitate decision making as also aggregate
all operational level metrics to produce dashboards at the enterprise level and
business unit and/or geographical entity level. EIS metrics should also provide
relevant trends over time; help track performance and direct resources to
initiate performance improvement.
Development Process:
EIS
strategy development process consists of following generic activities which
would require to be customised for individual enterprises:
·
Enumeration of business objectives.
·
Identification of EIS drivers – Legal,
Regulatory, Financial, Operational etc.
·
Stock taking of the current EIS program, if
any.
·
Creation of a risk based and business aligned EIS
program including:
o
IS Roles and responsibilities (both within IS
as also outside of it)
o
IS Organization structure
o
IS Governance framework
o
IS Risk Assessment methodology and framework
o
IS Controls and Assessment framework
o
IS Architecture framework
o
IS Operations framework
o
Outline roadmap including major projects and
initiatives
o
EIS Metrics framework
EIS
metrics development process consists of following generic activities which
would require to be customised for individual enterprises:
·
Definition/documentation of the current EIS program
·
Selection and development of metrics to
measure implementation, efficiency, effectiveness, and impact of the EIS
program
Detailed Considerations for EIS
Strategy:
EIS
strategy should be aligned to business strategy and corporate vision. It must
leverage all existing strengths, tools, processes, people and frameworks of the
enterprise. It should spell out the security organization structure, roles and
responsibilities, catalogue of services provided, road map of security
programs, projects, and initiatives, and define customised security policies/standards/procedures.
It must work out the cross-functional collaboration framework and touch points
with complimentary functions including Enterprise Risk Management, Compliance,
Legal, BCP, DR, Privacy, Information Management, HR, IT Operations, and
Physical Security etc.
Detailed Considerations for EIS
Metrics:
EIS
metrics should reflect security program maturity (status of all programs,
projects, and initiatives) as also security control effectiveness (compliance
to policies, standards and procedures). Both data types should be processed
through a customized framework aligned to the risk appetite of the organization
and the results of such processing should be demonstrated through multiple
dashboards configured around the needs of specific target audiences. Generally,
3 levels should suffice; however, it could be either re-appropriated to two levels
in case of smaller enterprises with lesser consumers for such dashboards or
increased to additional levels to provide higher levels of granularity in case
of large and global enterprises with higher complexity.
While
adopting a 3 level representation, the highest level should be an overall
indicator. The next level should be indicative of the component sub-domains
that security has been carved out into for the enterprise, and each sub-domain
should get an appropriate weightage with the total adding up to 100%. The
sub-domains should be broken down to one more level of metrics which can come
from security technology platforms or security processes, and have varying
weight contribution to the sub-domain they comprise of. These last level
metrics are real data from systems and processes while the above two levels would
be abstractions based on this data as per a framework customised for a specific
company.
Some
options for level 1 dashboard are:
·
3 colours (Red/Yellow/Green) or 5
·
% of score out of 100
·
Levels 1 to 3 (or 5)
Suggested
components of level 2 dashboards are:
·
Governance
·
Risk
·
Compliance
·
Architecture
·
Operations
Suggested
components of level 3 dashboard with types of operational metrics for each are:
·
Asset Management metrics
·
Communication Security Metrics
·
Perimeter Security Metrics
·
End Point Security Metrics
·
Application Security metrics
·
Identity & Access Management metrics
·
Access Control metrics
·
Vulnerability Management metrics
·
Patch Management metrics
·
Malware Management metrics
·
Change Management metrics
·
Incident Management metrics
·
Business Continuity and Disaster Recovery metrics
Each
of the suggested operational metrics domains comprise of multiple metrics
elements and each applicable element need to be customised for a specific
enterprise. Also, the list above does not cater to GRC metrics which need to be
configured for an enterprise in a customised manner based on its EIS strategy
and implementation roadmap.
Conclusion:
The
above considerations are not sacrosanct or sequential. Rather, they provide a
framework for envisioning EIS metrics, and their appropriate customization for a
specific enterprise. The type of operational metrics depends on the status of enterprise
processes and supporting technology platforms, as also evolution of the EIS
program and its stage in the maturity life cycle.
No comments:
Post a Comment