Information Security Metrics Objectives With Measurements

home title Posted by on Feb 6th, 2010 | no comments home title

Many people find the idea of creating Information Security Metrics to be a daunting task. This article will help you by reviewing what is required to create a set of meaningful metrics for your Information Security Program.

A number of years ago I was working on an information security strategy and was asked to create the metrics to measure the success of our Information Security program. I was given the name of our local specialist on results analysis and asked her “How can we measure the success of our information security program?”. Her immediate response was “What are your objectives?”. That reply took me a bit by surprise but what she was asking me, basically, was “How can you tell when you get there if you don’t know where you’re going?” A bit like the Cheshire Cat in Alice in Wonderland who told her it didn’t matter much which road she took if she didn’t know where she was going.

As an answer to her I proudly replied “Our objective is to ensure that our information is secure!”. The next question of course is what are all the steps (the road map) to get there; i.e. the intermediate objectives? This would require ensuring that all staff were aware of the need for information security, and providing them with the standards, guidelines, forms, and procedures to identify the right security controls required.

In this context then the term “metrics” refers to specific objectives that have defined measurements (i.e. Objective+Measurement=Metric).

The overall objective of the Information Security Strategy is: “1. Ensure the proper risk management of information assets.” This objective would be supported by an information security policy such as: “Personnel must recognize that information is a valuable corporate asset and therefore must be protected accordingly.” It was at that point that I went away and took a close look at the strategy we had in place and realized I could create a summary of the whole thing that consisted of about 12 intermediate objectives we had to meet to ensure our information was secure.

An example of one of the intermediate objectives to meet this main objective would be: “6. All departments have a documented inventory of their information assets.”

The metrics we developed for these two objectives are as follows (note the type of measurement required for each objective).

Objective #1: Ensure the proper risk management of information assets.Measurement 1: A roll-up of the secondary objectives #2 through #12.Measurement 2: Total potential dollar impact of all outstanding risks rated as “High”.

Objective #6: All departments have a documented inventory of information assets.Measurement: Percentage of departments (at the manager level) from all business units and support groups that have completed their information asset inventory.

What this shows is two metrics that will help you measure the success of your Information Security Program. Just remember to have a meaningful set of objectives and then a set of results that can be realistically measured as time goes by.

Did you find this information on information security metrics useful? You can learn a lot more about how our set of documents on information security can help you metrics by visiting our web site at MASE Consulting Ltd.

Related Blogs

  • Related Blogs on Cat

Related Blogs

  • Related Blogs on Cat
 Mail this postStumbleUpon It!

Technorati Tags: , , , , , , , , , , , , , , , , ,

home title Leave a Reply home title


  
line
Powered by Wordpress | Designed by Elegant Themes