Developing Operational Security Metrics to Meet Business Value
Identity management is just one area of information assurance that needs to be improved in an organization. An information assurance professional needs to have a good understanding of how well all areas of security and information assurance are being managed and maintained. Metrics are very important instruments for managing security and information assurance. Examples of metrics from other areas of security that can be more quantitative and meaningful include:
- Tracking the number of security intrusion detection incidents on a monthly basis
- Breaking intrusion detection incidents down by unit and country because this will demonstrate if security is weak in some functional area
- Recording the business impact of each intrusion detection incident
For this Project, write a 4- to 6-page paper in which you create 8-10 operational metrics, and explain how these metrics demonstrate the overall efficacy of the information assurance program at your organization. In the paper, respond to the following:
- How do you determine acceptable baselines for the metrics you created?
- How are these metrics efficacious to the teams involved in the operation of security controls?
Because you are using a fictitious scenario, state any assumptions you make.
Include references and make your work original as possible.
Readings
- Brotby, K. (2009). Information security governance: A practical development and implementation approach. Hoboken, NJ: Wiley.
- Chapter 13, "Security Program Development Metrics"
In this chapter you are introduced to the process of putting an information system security strategy into operational use. You will explore the decisions that must be made and metrics that will be needed to provide the information required for security program development management.
- Chapter 14, "Information Security Management Metrics"
In this chapter you are introduced to the concept of using management metrics to help executive management of an organization with decision support regarding information security. You will investigate the tactical metrics that are needed to keep the information security governance program operating at an acceptable level guided by the strategic objectives.
- Jaquith, A. (2007). Security metrics: Replacing fear, uncertainty, and doubt. Upper Saddle River, NJ: Pearson.
- Chapter 3, "Diagnosing Problems and Measuring Technical Security"
In this chapter you will be introduced to a collection of common security metrics for diagnosing problems and measuring technical security activities.
- Chapter 6, "Visualization"
In this chapter you are introduced to the concept of graphically representing data and metrics as an information visualization practice. You will explore ways to display data graphically without losing the richness and texture that best facilitate deep understanding.