Metrics for Information Security Management Jesus Leonardo Garcia Rojas Innovaciones Telemáticas

Similar documents
ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

_isms_27001_fnd_en_sample_set01_v2, Group A

Certified Information Security Manager (CISM) Course Overview

Predstavenie štandardu ISO/IEC 27005

The Common Controls Framework BY ADOBE

What is ISO/IEC 27001?

Standard Glossary of Terms used in Software Testing. Version 3.2. Foundation Extension - Usability Terms

Guide to the implementation and auditing of ISMS controls based on ISO/IEC 27001

Octave Method Component. CobIT Method Component. NIST Risk Management Framework. Generic Security Design Model. Design Theory: Governance

Threat and Vulnerability Assessment Tool

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

locuz.com SOC Services

Security Methodology

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Infosec Europe 2009 Business Strategy Theatre. Giving Executives the Security Management Information that they Really Need

CCISO Blueprint v1. EC-Council

Advent IM Ltd ISO/IEC 27001:2013 vs

Appendix A. Syllabus. NIST Cybersecurity Foundation. Syllabus. Status: First Draft

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

REQUEST FOR EXPRESSIONS OF INTEREST

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

ITG. Information Security Management System Manual

University ICT Security Certification. Francesco Ciclosi, University of Camerino

Concepts of Usability. Usability Testing. Usability concept ISO/IS What is context? What is context? What is usability? How to measure it?

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Automating the Top 20 CIS Critical Security Controls

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

John Snare Chair Standards Australia Committee IT/12/4

Using Metrics to Gain Management Support for Cyber Security Initiatives

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

ISACA Arizona May 2016 Chapter Meeting

WELCOME TO ITIL FOUNDATIONS PREP CLASS AUBREY KAIGLER

ISO27001:2013 The New Standard Revised Edition

Information Security Policy

Rethinking Information Security Risk Management CRM002

K12 Cybersecurity Roadmap

Cymsoft Information Technologies

ISC2. Exam Questions CAP. ISC2 CAP Certified Authorization Professional. Version:Demo

ISO27001 Preparing your business with Snare

What is ISO ISMS? Business Beam

An Introduction to the ISO Security Standards

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

AUTHORITY FOR ELECTRICITY REGULATION

Ingram Micro Cyber Security Portfolio

Information Security and Service Management. Security and Risk Management ISSM and ITIL/ITSM Interrelationship

Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases. Gen Fields Senior Solution Consultant, Federal Government ServiceNow

Information Technology General Control Review

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

ECCouncil EC-Council Certified CISO (CCISO) Download Full Version :

Checklist: Credit Union Information Security and Privacy Policies

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Exhibit A1-1. Risk Management Framework

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

Cyber security tips and self-assessment for business

APPROVAL SHEET PROCEDURE INFORMATION SECURITY MANAGEMENT SYSTEM CERTIFICATION. PT. TÜV NORD Indonesia PS - TNI 001 Rev.05

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Certified Software Quality Engineer Preparation On Demand, Web-Based Course Offered by The Westfall Team

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Manchester Metropolitan University Information Security Strategy

ISO/IEC Information technology Security techniques Code of practice for information security management

HIPAA RISK ADVISOR SAMPLE REPORT

Cybersecurity Auditing in an Unsecure World

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

Nebraska CERT Conference

The Deloitte-NASCIO Cybersecurity Study Insights from

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Rev.1 Solution Brief

INFORMATION ASSURANCE DIRECTORATE

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

ISO/IEC overview

Security Standards for Electric Market Participants

Fill in the attached registration Form and send to fax number or at

RSA Cybersecurity Poverty Index

ISMS Implementation ISO IT Governance CEN 667

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

Best Practices & Lesson Learned from 100+ ITGRC Implementations

Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification

The Confluence of Physical and Cyber Security Management

Consolidation Committee Final Report

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Industrial Defender ASM. for Automation Systems Management

Defense in Depth Security in the Enterprise

Building UAE s cyber security resilience through effective use of technology, processes and the local people.

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

ISE Canada Executive Forum and Awards

RSA Cybersecurity Poverty Index : APJ

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

NW NATURAL CYBER SECURITY 2016.JUNE.16

INFORMATION ASSURANCE DIRECTORATE

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Why you should adopt the NIST Cybersecurity Framework

ITG. Information Security Management System Manual

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Vulnerability Assessments and Penetration Testing

6 CONCLUSION AND RECOMMENDATION

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

MIS5206-Section Protecting Information Assets-Exam 1

Transcription:

Metrics for Information Security Management Jesus Leonardo Garcia Rojas Innovaciones Telemáticas lgarcia@intelematica.com.mx

How do we know how secure an organization is? Manager asks, Are we secure? Without metrics: Well that depends on how you look at it. With metrics: No doubt about it. Look at our risk score before we implemented that firewall project. It s down 10 points risk. We are definitely mo re secure today than we were before. Manager asks, Have the changes that we implemented improved our security posture? Without metrics: sure, they must have right? With metrics: Absolutely. Look at our risk score before we made the recommended changes, and now it s down 25 points. No question, the changes reduced our security risk.

What is a metric? FIPS 140-1/2 metrics for cryptosystems, The standard provides four increasing, qualitative levels of security. These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed. SSE-CMM (Carnegie Mellon university) A five step maturity model to evaluate a company software development performance The National Institute of Standards and Technology (NIST) (SP 800-53, SP 800-55) The NIST use the CMM model in the security area. We learned from the SECurity METrics (SECMET) consortium, that Network security experts can t be measure their success without security metrics, and what can t be measured can t be effectively managed 27004 Information security management measurements is at the WorkingDraft stage A more formalized mathematical Method can be derived from the mass-theorie. It exist for that problem only an solution for a countable set. This set must be fulfill a sigma-algebra

Measuring process Indentifying the object of measurement A particular ISMS process A control or a group of controls Identifying the method of measurement Identifying the measurement frecuency Identifiying measuremetn criteria Definition of data collection, analysis and reporting procedures Execute the measurement and improve it where necesary

Measurement, Metrics, Indicators Measure: A quantitative indication of the extent, amount, dimension, capacity or size of some attribute of a control or process. A single data point (e.g. number of defects from a single review) Measurement: The act of determining a measure Metric: A measure of the degree to which a system, component, control or process possesses a given attribute. Metrics relate measures (e.g. Average number of defects found in reviews) Relate data points to each other Indicator: A metric or series of metrics that provide insight into a process, project or product.

Why Measure? Characterise To gain understanding of processes, control, products, etc. Evaluate To determine status with respect to plans. Predict So that we may plan. Improve Rational use of quantitative information to identify problems and strategies to remove them

What to Measure? Process Measure the efficacy of processes Effectiveness of ISMS What works, what doesn t Project Assess the status of projects Track risk Identify problem areas Adjust work flow Controls Measure predefined control attributes

Process Metrics Majority focus on goals achieved as a consequence of a repeatable or managed process statistical data defect categorization & analysis defect removal efficiency propagation from phase to phase reuse data

Project Metrics Effort/time per task Defects detected per review hour Scheduled vs. actual milestone dates Changes (number) and their characteristics Distribution of effort on tasks

Control Metrics focus on deliverables measures of analysis model complexity of the design internal algorithmic complexity architectural complexity data flow complexity code measures measures of process effectiveness e.g., defect removal efficiency

Metrics Guidelines Use common sense and organizational sensitivity when interpreting metrics data. Provide regular feedback to the individuals and teams who have worked to collect measures and metrics. Don t use metrics to appraise individuals. Work with practitioners and teams to set clear goals and metrics that will be used to achieve them. Never use metrics to threaten individuals or teams. Metrics data that indicate a problem area should not be considered negative. These data are merely an indicator for process improvement. Don t obsess on a single metric to the exclusion of other important metrics.

Measurement Criteria Measurements should be: Objective Repeatable Timely Available in time to affect development/maintenance Available Difficulty to obtain Representative Degree of representation of customers perception Controllable Extent to which value can be changed by action

Examples of metrics Total number of remote connections over a one month period (VPN, ISDN, dial-up, remote desktop) Maximum number of concurrent remote by user The percentage of total applications that have a contingency plan by application criticality. Time to analyze and recommend action on a security event Number of Linux servers at least 90% compliant with the Linux platform security standard Quantitative or qualitative values that result from evaluation processes (manual, automated, or a combination) such as Scoring < -> Assessing Ranking < -> Measuring

Security Metric Categories Platform Number of Linux servers that are compliant with EFS policy Network DMZ port scans Incident Number of hosts infected with worm XYZ Vendor Average security rating for vendors that touch active customer files People Number of terminated employees with administrator access Industry Number of public security incidents in sector ABC with severity score Z Political Hacktivism scores, amount of sites listing sector/company ABC as potential target

Security Metric Types Real Time Number of concurrent connections to VPN Usually from incident response systems Internal Polled Number of password reset requests (monthly), Usually from Security Alert & Security Event Manager Incident based Number of machines Number of vendors suffering from infections Usually from industry intelligence/incident response Internet Telecom Wireless Access Point

Gathering Data Inquiry Observation Questionnarie Knowledge Assessment Inspection Re-performance System queries Testing and sampling Time.related considerations

How do we decide which one s to collect? Policy Mining / Easy to Spot Anomalies Risk Scoring ROI / Vendor Evaluations Tips / Visionaries Tools of Security Event Management IT security is often techniques orientated

Business meets IT Information Security Information, finance data and knowledge are stored in databases, operating systems and application How can we be sure that a company has a sufficient data to improve the effectiveness of the ISMS? Business Objetives Operational Tasks Business Process Application view on business processes New challenge IT Assets Netkork Nodes RISKS IT-Process IT-Resources IT-Ressources are protected by the ISMS Classical perimeter security

Typically the organizations implements an information security manegement System An ISMS is an Management System (like other management system e.g. ISO 9001, ISO 14001) with a focus on Information security In this contribution an approach for the evaluation of the quality of ISMS is proposed

ISO standardards relationships Quality Management ISO 9001:2000 Information Security Management (ISO 27001:2005) IT Governance COBIT IT Service Managemnt ISO 20000-1:2005

ISO standardards relationships Human resources Physical Security Finances Monitoring A8 Planning & Organization IT Management A7 A6 A5 A15 A14 Business Areas A9 A10 A11 A12 Information Security Management System ISO 20000 (ITIL) A13 Adquisition & Implementation COBIT Delivery & Support Legal Interested Parties Third Parties

ISMS ISMS Scope and boundary 6 Organization of information security 7 Asset management 8 Human resources security 9 Physical and environmental security 10 Communications and operations management PLAN 11 Access control DO ACT SoA 15 Compliance 12 Information systems acquisition, development and maintenance CHECK 5 Security policy 13 Information security incident management 14 Business continuity management ISMS Information Security Architecture

Information Security Management System ISMS Scope and boundaries ISMS Policy Risk Assessment Approach Risk treatment Management approval Statement of applicability Plan Establish the ISMS Implement the identified improvements in the ISMS. corrective and preventive actions Communicate the actions and improvements to all interested parties Ensure that the improvements achieve their intended objectives. Do Implement and operate the ISMS Act Maintain and improve the ISMS Implement the risk treatment plan Implement controls selected measure the effectiveness of the selected controls or groups of controls Check Monitor and review the ISMS Execute monitoring and reviewing procedures and other controls regular reviews of the effectiveness of the ISMS Measure the effectiveness of controls Review risk assessments at planned intervals Conduct internal ISMS audits at planned intervals Undertake a management review of the ISMS on a regular basis Update security plans

Brief overview of different risk methods Return on Security Investment (ROSI) Model University Idaho University California Massachusetts Institute of Technology (MIT) different Models, different views Checklist, simple approach Value at Risk Method (economy, simple approach to BASEL II) CRAMM Method (CTT) is based on aprx. 3000 events of threats -> possible to use with BS 7799-2/ISO27001 Pure risk assessment followed BS 7799-2/ISO27001 -> a roughly method to couple in a simple way threats, vulnerabilities and risks HazOP e.g. Fault trees / decision trees (FTA, FMEA, FMCA) binary decision about bifurcation conduct to cognitions (failure, reasons, etc.) OCTAVE (Operationally Critical Threat and Vulnerability Evaluation) from the Carnegie Mellon University Risk Scenario-techniques (RST) Risk scenario are be able to learn from hypothetical risk events, which are become possible happen in the near future, to create countermeasures in the presence, so that the hypothetical events are not happens.

Metrics for Information Security Management Jesus Leonardo Garcia Rojas Innovaciones Telemáticas lgarcia@intelematica.com.mx

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback