• Like
  • Save

Improving Your Information Security Program

  • 1,208 views
Uploaded on

Michael walks the audience through the key focus areas in the creation of information security dashboards and discuss topics such as: What about our Information Security Program is important? …

Michael walks the audience through the key focus areas in the creation of information security dashboards and discuss topics such as: What about our Information Security Program is important?
How can I represent my Information Security Program in a dashboard? What elements of my program should I measure and report on? What must happen with the output?

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,208
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
16
Comments
0
Likes
10

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Improving your Information Security Program Building your Security Dashboard
  • 2. Our on-going challenge Identifying success and measuring performance is difficult within the information security program • Security Managers lack an effective way to monitor current state and track improvement within their programs • Security staff lack guidance on program priorities • Management and executive need awareness of how the program supports the organization • Business units do not understand their role in information security Copyright 2007 – Seccuris Inc.
  • 3. Our on-going challenge How do we align, manage and communicate our program in an effective manner? By creating an Information Security Program Dashboard Copyright 2007 – Seccuris Inc.
  • 4. Agenda • Introduction to dashboards • The role of the dashboard • Building a dashboard for your security program • Using your Dashboard Copyright 2007 – Seccuris Inc.
  • 5. Introduction to Dashboards What is a dashboard? • A summary view of relevant performance information • Visualization of up-to-date Key Performance Indicators (KPIs) • KPIs are displayed though a collection of Performance Maps • Can be manual, automated or “digital” Copyright 2007 – Seccuris Inc.
  • 6. Introduction to Dashboards What isn’t a dashboard? • Driving your car • Security Information Management (SIM) Copyright 2007 – Seccuris Inc.
  • 7. Poor Example of Dashboard Copyright 2007 – Seccuris Inc.
  • 8. Better example of Dashboard Copyright 2007 – Seccuris Inc.
  • 9. Good Example of Dashboard Security Management Dashboard* High-Level Direction Malicious Attack Special Topics Security Organization Security Committee E-mail Privacy Serer Virus Infections Approvals for Security Incidents Initiatives Identified Contained Cleaned SubmittedReviewed Approved Identified Contained Investigated Closed 36 30 33 16 12 9 45 30 544 311 Monthly Annual Monthly R e mo t e O f f i c e P o l i c y V i o l a t i o n s Information Security Intrusion Prevention Remote Office Security Department Policies Signature Updates Policy Violations Initiatives Created Revised Approved Low Med High Low Identified Tested Approved Implemented Defined Scheduled Active Completed 8 3 11 M ed 89 69 54 34 6 5 44 177 67 Hi h g 774 122 Annual Annual Annual Monthly S t a f f A g r e e me n t s Se c u r i t y A u d i t s Incident Response Security Awareness Staff Agreements Security Audits Engagements Initiatives 1 N/A Current Expired N/ A Compl t ed e Identified In-progress Re-Opened Closed 0 . 5Defined Scheduled Active Defined Scheduled Active Completed Completed 2 Cur r en t Act ve i 699 455 4 1 4 4 1 0 4 43 12 2 30 12 Expi ed r Schedul d e 0 Compl t ed e Def n ed i Annual Annual Annual Annual Copyright 2007 – Seccuris Inc.
  • 10. Malicious Attack Serer Virus Infections Identified Contained Cleaned 36 30 33 Monthly Intrusion Prevention Signature Updates Identified Tested Approved Implemented 89 69 54 177 Monthly Incident Response Engagements Identified In-progress Re-Opened Closed 43 12 2 30 Annual Copyright 2007 – Seccuris Inc.
  • 11. Introduction to Dashboards What are the benefits of a dashboard? • Demonstration of compliance • Elimination of duplicate data entry / gathering • Identify poor performance within the program • Allows for measurement of current action plans and implementations • Allows for immediate awareness and alerting • Provides supporting information for the IT Security Scorecard Copyright 2007 – Seccuris Inc.
  • 12. The role of the dashboard? Where does the dashboard fit in organizational management? Security Information Management Copyright 2007 – Seccuris Inc.
  • 13. The role of the dashboard? Information Security Policy Information Security Balanced Scorecard Security Management Dashboard* Critical System Business Development Applications High-Level Security Security Secure Direction Organization Requirements Environment Security Management Management Malicious Risk Special Topics Review Attack Acceptances Computer Networks Installations *Includes KPIs from each aspect of Security Management Copyright 2007 – Seccuris Inc.
  • 14. The role of the dashboard? What is the intended audience for an Information Security dashboard? • Primary • CISO • Information Security Manager • Information Security Staff • Secondary • Accountable Business Unit Management • Business Executive • Audit Copyright 2007 – Seccuris Inc.
  • 15. The role of the dashboard? The dashboard allows us to: • Visualize the focus areas for our program • Facilitate awareness of organizations accountability within the security program • Create distinction between failure of the program and failure of the security department Copyright 2007 – Seccuris Inc.
  • 16. Building a security dashboard What are the components of a dashboard? • Performance Maps • Business Logic • Visualization Rules • Data Sources • Critical Success Factors (CSF) • Key Performance Indicators (KPI) Copyright 2007 – Seccuris Inc.
  • 17. Building a security dashboard What are the components of a dashboard? Security Management Dashboard* High-Level Security Security Secure Direction Organization Requirements Environment Management Malicious Risk Special Topics Review Attack Acceptances *Includes KPIs from each aspect of Security Management High-Level Direction Security Organization Security Committee Board Level Approvals Approvals for Security for Security Initiatives Initiatives SubmittedReviewed Approved SubmittedReviewed Approved 12 4 1 16 12 9 Annual Annual Information Security Security Department Policies Initiatives Created Revised Approved Defined Scheduled Active Completed 8 3 11 34 6 5 44 Annual Annual Security Awareness Staff Agreements Initiatives N/A Current Expired Defined Scheduled Active Completed 2 699 455 4 1 0 4 Annual Annual Copyright 2007 – Seccuris Inc.
  • 18. Building a security dashboard The inputs & data sources of a dashboard Information Security Gap Analysis Information Security Policy Information Security Balanced Scorecard Security Management Dashboard* Critical System Business Development Applications High-Level Security Security Secure Direction Organization Requirements Environment Security Management Management Malicious Risk Special Topics Review Attack Acceptances Computer Networks Installations *Includes KPIs from each aspect of Security Management Information Security Action Plan Information Security Action Plan Status Report Copyright 2007 – Seccuris Inc.
  • 19. Building a security dashboard The inputs & data sources of a dashboard Information Security Balanced Scorecard •Defines the goals of the program Critical System Business Development •Challenging to start due to limited Applications access to true corporate business drivers Security Management •Often difficult to separate into manageable, visual pieces Computer Networks Installations •How do we define CSFs for our program? Copyright 2007 – Seccuris Inc.
  • 20. Building a security dashboard The inputs & data sources of a dashboard Information Security Balanced Scorecard Information Security Forum Critical System Business Development Applications Security Management •16+ years in the making •Industry Recognized Computer Networks Installations •Management Focused •Primary source for CSFs Copyright 2007 – Seccuris Inc.
  • 21. Building a security dashboard The inputs & data sources of a dashboard Information Security Policy •Mapped to Business Drivers •Influenced by compliance & legislation •Based on Best Practices •Primary source of relevant KPIs Example Policy: All security incidents relating to critical business functions must be investigated and documented. Example KPI: Number of Identified, In-Progress, Re-opened and Closed Incident Response Engagements. Copyright 2007 – Seccuris Inc.
  • 22. Building a security dashboard The inputs & data sources of a dashboard Information Security Gap Analysis SABSA •Business driven approach •True architecture focus •Aligns with any best practice •Good source of relevant KPIs Copyright 2007 – Seccuris Inc.
  • 23. Building a security dashboard The inputs & data sources of a dashboard Information Security Action Plan •Details security program improvements •Highlights what KPIs should be monitored •Specifies CSF and KPI target goals •Good source of relevant KPIs Copyright 2007 – Seccuris Inc.
  • 24. Building a security dashboard The inputs & data sources of a dashboard Information Security Gap Analysis Information Security Policy Information Security Balanced Scorecard Security Management Dashboard* Critical System Business Development Applications High-Level Security Security Secure Direction Organization Requirements Environment Security Management Management Malicious Risk Special Topics Review Attack Acceptances Computer Networks Installations *Includes KPIs from each aspect of Security Management Information Security Action Plan Information Security Action Plan Status Report Copyright 2007 – Seccuris Inc.
  • 25. Building a security dashboard Steps to define the dashboard • Perform an Information Security Program Gap analysis • Confirm the CSFs for the security program • Choose and align relevant KPIs for the dashboard • Define business logic & visualization rules Copyright 2007 – Seccuris Inc.
  • 26. Building a security dashboard Performing the information Security Gap analysis Copyright 2007 – Seccuris Inc.
  • 27. Building a security dashboard Performing the information Security Gap analysis Maturity Goals Legend 0 – Non-Existent Architecture Area 1 – Initial Current State Required Goal 2 – Repeatable 0 3 – Defined 4 – Managed 5 - Optimized 0 Good Practice Copyright 2007 – Seccuris Inc.
  • 28. Building a security dashboard Information Security Program Gap Analysis Assets Motivation Process People Location Time (What) (Why) (How) (Who) (Where) (When) Business Process Business Organization and Business Geography Business Risk Business Time The Business Model Relationships Model Dependencies Contextual 4 5 5 5 5 5 Control Security Strategies and Security Entity Model and Security Domain Security-Related Business Objectives Architectural Layering Trust Framework Model Lifetimes and Deadlines Attributes Profile Conceptual 4 4 4 4 4 4 Security Processing Cycle Entity Schema and Privilege Security Domain Definitions Business Information Model Security Policies Security Services Profiles and Associations Logical 4 4 4 4 4 4 Users, Applications and Platform and Network Business Data Model Security Mechanisms Control Structure Execution Security Rules, Practices and the User Interface Infrastructure Procedures Physical 3 3 3 3 3 3 Processes, Modes, Security Standards Security Products and Tools Identities, Functions, Actions Security Step Timing and Detailed Data Structures Addresses and Protocols and ACLs Sequencing Component 2 3 3 3 3 3 3 Application and User Security of Sites, Networks Assurance of Operational Operational Risk Security Service Management Security Operations Management Support and Platforms Continuity Management and Support Schedule Operational 3 3 3 3 3 3 Copyright 2007 – Seccuris Inc.
  • 29. Building a security dashboard Information Security Program Gap Analysis Assets Motivation Process People Location Time (What) (Why) (How) (Who) (Where) (When) Business Process Business Organization and Business Geography Business Risk Business Time The Business Model Relationships Model Dependencies 4 4 4 4 4 4 Contextual 4 5 5 5 5 5 Control Security Strategies and Security Entity Model and Security Domain Security-Related Business Objectives Architectural Layering Trust Framework Model Lifetimes and Deadlines Attributes Profile 4 4 4 4 4 4 Conceptual 4 4 4 4 4 4 Security Processing Cycle Entity Schema and Privilege Security Domain Definitions Business Information Model Security Policies Security Services Profiles and Associations 3 3 3 3 3 3 Logical 4 4 4 4 4 4 Users, Applications and Platform and Network Business Data Model Security Mechanisms Control Structure Execution Security Rules, Practices and the User Interface Infrastructure Procedures 3 3 3 3 3 3 Physical 3 3 3 3 3 3 Processes, Modes, Security Standards Security Products and Tools Identities, Functions, Actions Security Step Timing and Detailed Data Structures Addresses and Protocols and ACLs Sequencing 4 4 4 4 4 3 Component 3 3 3 3 3 3 Application and User Security of Sites, Networks Assurance of Operational Operational Risk Security Service Management Security Operations Management Support and Platforms Continuity Management and Support Schedule 3 3 3 3 3 3 Operational 3 3 3 3 3 3 Copyright 2007 – Seccuris Inc.
  • 30. Building a security dashboard Performing the information Security Gap analysis Maturity Goals Legend Above Requirement 0 – Non-Existent Architecture Area 1 – Initial Meets Requirement Current State Required Goal 2 – Repeatable 0 3 – Defined Below Requirement 0 4 – Managed Critically Below Requirement 5 - Optimized 0 Good Practice Copyright 2007 – Seccuris Inc.
  • 31. Building a security dashboard Information Security Program Gap Analysis Assets Motivation Process People Location Time (What) (Why) (How) (Who) (Where) (When) Business Process Business Organization and Business Geography Business Risk Business Time The Business Model Relationships Model Dependencies 4 4 4 4 4 4 Contextual 3 2 4 4 5 2 4 5 5 5 5 5 Control Security Strategies and Security Entity Model and Security Domain Security-Related Business Objectives Architectural Layering Trust Framework Model Lifetimes and Deadlines Attributes Profile 4 4 4 4 4 4 Conceptual 3 4 4 3 4 2 4 4 4 4 4 4 Security Processing Cycle Entity Schema and Privilege Security Domain Definitions Business Information Model Security Policies Security Services Profiles and Associations 3 3 3 3 3 3 Logical 2 3 3 1 2 3 4 4 4 4 4 4 Users, Applications and Platform and Network Business Data Model Security Mechanisms Control Structure Execution Security Rules, Practices and the User Interface Infrastructure Procedures 3 3 3 3 3 3 Physical 1 4 2 3 1 1 3 3 3 3 3 3 Processes, Modes, Security Standards Security Products and Tools Identities, Functions, Actions Security Step Timing and Detailed Data Structures Addresses and Protocols and ACLs Sequencing 4 4 4 4 4 3 Component 0 2 1 2 1 3 2 3 3 3 3 3 3 Application and User Security of Sites, Networks Assurance of Operational Operational Risk Security Service Management Security Operations Management Support and Platforms Continuity Management and Support Schedule 3 3 3 3 3 3 Operational 0 1 2 1 1 2 3 3 3 3 3 3 Copyright 2007 – Seccuris Inc.
  • 32. Building a security dashboard Performing an Information Security Program Gap analysis • Completion will highlight areas of your overall security that are: • Non-existent • Weak / Requiring Improvement • Over invested • Meeting the target Copyright 2007 – Seccuris Inc.
  • 33. Building a security dashboard Performing an Information Security Program Gap analysis • Use this information to: • Identify gaps in your information security policy • Create action plans and improvement projects • Confirm goals & CSFs by ensuring areas that need investment have been appropriately defined at the strategic level • Select KPIs that will allow you to monitor focus areas of your program Copyright 2007 – Seccuris Inc.
  • 34. Building a security dashboard Steps to define the dashboard • Perform an Information Security Program Gap analysis • Confirm the Goals & CSFs for the security program • Use the Gap Analysis to identify potential CSF misalignment • Review Information Security Program Components • Choose and align relevant KPIs for the dashboard • Define business logic & visualization rules Copyright 2007 – Seccuris Inc.
  • 35. Building a security dashboard Where does the dashboard fit in organizational management? Copyright 2007 – Seccuris Inc.
  • 36. Building a security dashboard Information Security Program Gap Analysis Assets Motivation Process People Location Time (What) (Why) (How) (Who) (Where) (When) Business Geography Business Risk Business Time Model Dependencies 4 4 4 Contextual 2 5 2 5 5 5 Security-Related Lifetimes and Deadlines 4 Conceptual 2 4 Security Processing Cycle 3 Logical 1 4 Users, Applications and Business Data Model Control Structure Execution Security Rules, Practices and the User Interface Procedures 3 3 3 3 Physical 1 4 1 1 3 3 3 3 Processes, Modes, Security Standards Security Products and Tools Security Step Timing and Detailed Data Structures Addresses and Protocols Sequencing 4 4 4 4 4 Component 0 2 1 2 1 2 3 3 3 3 3 Security of Sites, Networks Assurance of Operational Operational Risk Security Operations and Platforms Continuity Management Schedule 3 3 3 3 Operational 0 1 1 1 3 3 3 3 Copyright 2007 – Seccuris Inc.
  • 37. Building a security dashboard Steps to define the dashboard • Perform an Information Security Program Gap analysis • Confirm the Goals & CSFs for the security program • Use the Gap Analysis to identify potential CSF misalignment • Review Information Security Program Components • Choose and align relevant KPIs for the dashboard • Define business logic & visualization rules Copyright 2007 – Seccuris Inc.
  • 38. Building a security dashboard Confirm the Goals & CSFs for the security program • Review current security plan documentation • Does Gap analysis output align with the Security Program Scorecard? • Are there weaknesses that must be improved on? • Change Security Program documentation to include new goals and CSFs Copyright 2007 – Seccuris Inc.
  • 39. Building a security dashboard Steps to define the dashboard • Perform an Information Security Program Gap analysis • Confirm the Goals & CSFs for the security program • Choose and align relevant KPIs for the dashboard • Define business logic & visualization rules Copyright 2007 – Seccuris Inc.
  • 40. Building a security dashboard Choose and align relevant KPIs for the dashboard • Brainstorm using current security program as a starting point • Review Gap Analysis for potential new KPIs • Review “good practices” for relevant indicators • Choose KPIs that help influence your goals and visualize your CSFs Copyright 2007 – Seccuris Inc.
  • 41. Using Standards to pick KPIs Critical System Business Development Applications Security Management Computer Networks Installations Copyright 2007 – Seccuris Inc.
  • 42. Using Gap Analysis to focus KPIs Assets Motivation Process People Location Time Assets Motivation Process People Location Time (What) (Why) (How) (Who) (Where) (When) (What) (Why) (How) (Who) (Where) (When) Business Business Business Risk Business Risk Business-Driven Business Business-Driven Business Requirements Requirements Business Security Business Field Business Security Business Field Assessment; Assessment; Information Security Calendar and Contextual Information Security Calendar and Collection; Contextual Collection; Organization Operations Organization Operations Corporate Policy Corporate Policy Management Timetable Management Timetable Information Information Management Management Management Management Making Making Programme Management Programme Management Classification Classification Security Audit & Security Audit & Incident Response; Security Incident Response; Security Assurance Levels; Business Security Domain Assurance Levels; Business Security Domain Disaster Recovery; Operation Disaster Recovery; Operation Conceptual Measurement, Security Training Conceptual Continuity Management Measurement, Security Training Continuity Management Change Control Schedule Critical Change Control Schedule Metrics & Management Metrics & Management Programme Management Programme Management System Benchmarking Benchmarking Business Intrusion Detection; Intrusion Detection; Development Detailed Security Detailed Security Event Monitoring Event Monitoring Application Policing Making; Application Policing Making; Process Development; Applications Managing Process Development; Managing Access Control & Access Control & Security Policy Compliance; Security Information Security; Policy Compliance; Security Service Information Security; Application Security Service Application Privilege Profile Logical Privilege Profile Logical Administration & Monitoring Administration & System Integrity Monitoring System Integrity Management; System Deadlines & Management; System Deadlines & Administration Administration Management Intelligence Management Intelligence Development Controls; Cut-off Development Controls; Cut-off Gathering Gathering Configuration Configuration Management Management User Account User Account Rule Definition; Key Rule Definition; Key Aging; Password Aging; Password Vulnerability Network Security Vulnerability Network Security Management; ACL Management; ACL Aging; Crypto Aging; Crypto Database Security Assessment; User Support and Management; Site Database Security Assessment; User Support and Management; Site Maintenance; Back- Maintenance; Back- Key Aging; Security Key Aging; Physical Software Integrity Penetration Testing; Help Desk Security Physical Software Integrity Penetration Testing; Help Desk Security Up Admin; Computer Up Admin; Computer Administering Administering Threat Assessment Management Threat Assessment Management Forensics; Event Log Forensics; Event Log Time Windows Time Windows Admin; Anti-Virus Management Admin; Anti-Virus for Access for Access Admin Admin Control Control Platform, Platform, CERT Product Procurement; CERT Time-out Product Procurement; Time-out Personnel Personnel Product & Product & Workstation and Workstation and Notifications; Project Management; Notifications; configuration; Project Management; configuration; Vetting; User Vetting; User Tool Security & Component Tool Security & Component Equipment Equipment Research on Research on Operations Detailed operation Operations Administration Detailed operation Administration Integrity Integrity Security Security Threats & Management Threats & sequence Management sequence Management Management Vulnerabilities Vulnerabilities Assets Motivation Process People Location Time Computer (What) (Why) (How) (Who) (Where) (When) Networks Installations Business Business Risk Business-Driven Business Requirements Business Security Business Field Assessment; Information Security Calendar and Collection; Contextual Organization Operations Corporate Policy Management Timetable Information Management Management Making Programme Management Classification Security Audit & Incident Response; Security Assurance Levels; Business Security Domain Disaster Recovery; Operation Measurement, Security Training Continuity Management Conceptual Change Control Schedule Metrics & Management Programme Management Benchmarking Intrusion Detection; Detailed Security Event Monitoring Application Policing Making; Process Development; Managing Access Control & Security Policy Compliance; Information Security; Security Service Application Privilege Profile Administration & Monitoring Logical System Integrity Management; System Deadlines & Administration Management Intelligence Development Controls; Cut-off Gathering Configuration Management User Account Rule Definition; Key Aging; Password Vulnerability Network Security Management; ACL Aging; Crypto Database Security Assessment; User Support and Management; Site Maintenance; Back- Key Aging; Software Integrity Penetration Testing; Help Desk Security Up Admin; Computer Physical Administering Threat Assessment Management Forensics; Event Log Time Windows Admin; Anti-Virus for Access Admin Control Platform, CERT Product Procurement; Time-out Personnel Product & Workstation and Notifications; Project Management; configuration; Vetting; User Tool Security & Equipment Component Research on Operations Detailed operation Administration Integrity Security Threats & Management sequence Management Vulnerabilities Assets Motivation Process People Location Time Assets Motivation Process People Location Time (What) (Why) (How) (Who) (Where) (When) (What) (Why) (How) (Who) (Where) (When) Business Business Business Risk Business-Driven Business Requirements Business Risk Business-Driven Business Requirements Business Security Business Field Business Security Business Field Assessment; Information Security Calendar and Contextual Assessment; Collection; Information Security Calendar and Contextual Collection; Organization Operations Organization Operations Corporate Policy Management Timetable Corporate Policy Information Management Timetable Information Management Management Management Management Making Programme Management Making Classification Programme Management Classification Security Audit & Security Audit & Incident Response; Security Incident Response; Security Assurance Levels; Business Security Domain Assurance Levels; Business Security Domain Disaster Recovery; Operation Disaster Recovery; Operation Conceptual Measurement, Security Training Continuity Management Conceptual Measurement, Security Training Continuity Management Change Control Schedule Change Control Schedule Metrics & Management Metrics & Management Programme Management Programme Management Benchmarking Benchmarking Intrusion Detection; Intrusion Detection; Detailed Security Event Monitoring Detailed Security Event Monitoring Application Policing Making; Process Development; Application Policing Making; Managing Process Development; Managing Access Control & Access Control & Security Policy Compliance; Information Security; Security Service Security Application Policy Compliance; Information Security; Security Service Application Privilege Profile Logical Administration & Privilege Profile Monitoring System Integrity Logical Management; System Administration & Monitoring Deadlines & System Integrity Management; System Deadlines & Administration Management Administration Intelligence Development Controls; Management Intelligence Cut-off Development Controls; Cut-off Gathering Configuration Gathering Configuration Management Management User Account User Account Rule Definition; Key Rule Definition; Key Aging; Password Aging; Password Vulnerability Network Security Management; ACL Vulnerability Network Security Management; ACL Aging; Crypto Aging; Crypto Database Security Assessment; User Support and Management; Site Maintenance; Back- Database Security Assessment; User Support and Management; Site Maintenance; Back- Key Aging; Key Aging; Physical Software Integrity Penetration Testing; Help Desk Security Up Admin; Computer Physical Software Integrity Penetration Testing; Help Desk Security Up Admin; Computer Administering Administering Threat Assessment Management Forensics; Event Log Threat Assessment Management Forensics; Event Log Time Windows Time Windows Admin; Anti-Virus Admin; Anti-Virus for Access for Access Admin Admin Control Control Platform, CERT Platform, Time-out CERT Personnel Product Procurement; Product Procurement; Time-out Personnel Product & Workstation and Product & Notifications; Workstation and configuration; Vetting; User Notifications; Project Management; configuration; Project Management; Vetting; User Tool Security & Component Equipment Tool Security & Research on Component Equipment Detailed operation Research on Administration Operations Operations Detailed operation Administration Integrity Security Integrity Threats & Security sequence Threats & Management Management sequence Management Vulnerabilities Management Vulnerabilities Copyright 2007 – Seccuris Inc.
  • 43. Building a security dashboard Steps to define the dashboard • Perform an Information Security Program Gap analysis • Confirm the Goals & CSFs for the security program • Choose and align relevant KPIs for the dashboard • Define business logic & visualization rules Copyright 2007 – Seccuris Inc.
  • 44. Building a security dashboard Define business logic & visualization rules • What elements make up the KPI • What element triggers exist within the KPI • What weighting should elements be given • What method of visualization works for this KPI Copyright 2007 – Seccuris Inc.
  • 45. Building a security dashboard Security Products & Tools – Identified KPI CSF: Security Products & Tools Intrusion Prevention must be properly implemented and Signature Updates managed. (ISF-SM5.3) Identified Tested Approved Implemented KPI: The number of IPS signature 0 0 0 0 updates that are identified, tested, , approved & implemented on an Monthly monthly basis. Business Logic: If the number of identified IPS updates is less then 1 a month then show as critical. (cont) Copyright 2007 – Seccuris Inc.
  • 46. Building a security dashboard Security Management Dashboard* High-Level Security Security Secure Direction Organization Requirements Environment Management Malicious Risk Special Topics Review Attack Acceptances *Includes KPIs from each aspect of Security Management Copyright 2007 – Seccuris Inc.
  • 47. High-Level Direction Indicators Board Level Approvals for Security Initiatives SubmittedReviewed Approved 12 4 1 Annual Staff Agreements N/A Current Expired 2 699 455 Annual Copyright 2007 – Seccuris Inc.
  • 48. Malicious Attack Indicators Intrusion Prevention Serer Virus Infections Signature Updates Identified Contained Cleaned Identified Tested Approved Implemented 36 30 33 89 69 54 177 Monthly Monthly Copyright 2007 – Seccuris Inc.
  • 49. Special Topic Indicators E-mail Privacy Incidents Identified Contained Investigated Closed 45 30 544 311 Monthly Security Audits Defined Scheduled Active Completed 4 1 4 12 Annual Copyright 2007 – Seccuris Inc.
  • 50. Security Organization Indicators Security Committee Security Committee Approvals for Security Approvals for Security Initiatives Initiatives SubmittedReviewed Approved SubmittedReviewed Approved Annual Annual Security Awareness Initiatives Defined Scheduled Active Completed 4 1 0 4 Annual Copyright 2007 – Seccuris Inc.
  • 51. Building a security dashboard Security Management Dashboard* High-Level Security Security Secure Direction Organization Requirements Environment Management Malicious Risk Special Topics Review Attack Acceptances *Includes KPIs from each aspect of Security Management High-Level High Level Direction Malicious Attack Special Topics Security Organization Security Committee Board Level Approvals E-mail Privacy Serer Virus Infections Approvals for Security for Security Initiatives Incidents Initiatives SubmittedReviewed Approved Identified Contained Cleaned SubmittedReviewed Approved Identified Contained Investigated Closed 12 4 1 36 30 33 16 12 9 45 30 544 311 Annual Monthly Monthly Annual Information Security Remote Office Security Department Intrusion Prevention Policies Policy Violations Initiatives Signature Updates Created Revised Approved Low Med High Identified Tested Approved Implemented Defined Scheduled Active Completed 8 3 11 89 69 54 34 6 5 44 177 67 774 122 Annual Annual Annual Monthly Incident Response Security Awareness Staff Agreements Security Audits Engagements Initiatives N/A Current Expired Identified In-progress Re-Opened Closed Defined Scheduled Active Completed Defined Scheduled Active Completed 2 699 455 4 1 4 1 0 4 4 43 12 2 30 12 Annual Annual Annual Annual Copyright 2007 – Seccuris Inc.
  • 52. Building a security dashboard R e mo t e O f f i c e P o l i c y V i o l a t i o n s Low M ed Hi h g St a f f A g r e e me n t s Se c u r i t y A u d i t s 1 N/ A Compl t ed e 0.5 Cur r en t Act ve i Expi ed r Schedul d e 0 Compl t ed e Def n ed i Copyright 2007 – Seccuris Inc.
  • 53. Building a security dashboard Security Management Dashboard* High-Level Direction Malicious Attack Special Topics Security Organization Security Committee E-mail Privacy Serer Virus Infections Approvals for Security Incidents Initiatives Identified Contained Cleaned SubmittedReviewed Approved Identified Contained Investigated Closed 36 30 33 16 12 9 45 30 544 311 Monthly Annual Monthly R e mo t e O f f i c e P o l i c y V i o l a t i o n s Information Security Intrusion Prevention Remote Office Security Department Policies Signature Updates Policy Violations Initiatives Created Revised Approved Low Med High Low Identified Tested Approved Implemented Defined Scheduled Active Completed 8 3 11 M ed 89 69 54 34 6 5 44 177 67 Hi h g 774 122 Annual Annual Annual Monthly S t a f f A g r e e me n t s Se c u r i t y A u d i t s Incident Response Security Awareness Staff Agreements Security Audits Engagements Initiatives 1 N/A Current Expired N/ A Compl t ed e Identified In-progress Re-Opened Closed 0 . 5Defined Scheduled Active Defined Scheduled Active Completed Completed 2 Cur r en t Act ve i 699 455 4 1 4 4 1 0 4 43 12 2 30 12 Expi ed r Schedul d e 0 Compl t ed e Def n ed i Annual Annual Annual Annual Copyright 2007 – Seccuris Inc.
  • 54. Building a security dashboard R e mo t e O f f i c e P o l i c y V i o l a t i o n s Low M ed Hi h g Copyright 2007 – Seccuris Inc.
  • 55. Using your dashboard Reviewing your dashboard allows for: • Make tactical decisions on current data • Monitor impact of action plans • Visualize the program to management Copyright 2007 – Seccuris Inc.
  • 56. Using your dashboard Further enhancements include: • Refining reporting requirements • Creating multiple dashboard views • Creating a digital dashboard • Enabling alerts & escalations Copyright 2007 – Seccuris Inc.
  • 57. Our on-going challenge By creating an Information Security Program Dashboard We can align, manage and communicate our program in an effective manner Copyright 2007 – Seccuris Inc.
  • 58. Our on-going challenge In reality it isn’t quite that easy… • Define and refine the goals of your program • Select a handful of KPIs that can be mapped manually • Build performance maps that speak to your audience • Slowly build your dashboard capability with confidence in the supporting data. Copyright 2007 – Seccuris Inc.
  • 59. Thanks Michael Legary, CSA, CISSP, CISM, CISA, CCSA, CPP, GCIH, PCI-QSA Founder & CIO Seccuris Inc. Email: Michael.Legary@seccuris.com Direct: 204-255-4490 Main: 204-255-4136 Fax: 204-942-6705 Copyright 2007 – Seccuris Inc.