Metrics and Maturity

  • 2,830 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,830
On Slideshare
0
From Embeds
0
Number of Embeds
6

Actions

Shares
Downloads
46
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Take the worry out and think about the results, get
  • Different accreditable maturity levels can be adequate for organizations with different resources. A maturity level can be used as a way to show progress and a step to achieving higher levels. Early investment in security brings the highest return. A binary compliant / not compliant approach can discourage initial invesment.

Transcript

  • 1. 1 Metrics and Maturity Cartagena de Indias © ISM3 Consortium 2009
  • 2. 2
  • 3. 3  Managing is achieving results with the resources available for it. There are specific activities for management that we will call “Management Practices”. Management
  • 4. 4  Testing: Assessment of whether process outputs are as expected when test data is put in. Management Practices
  • 5. 5  Monitoring: Checking whether the outputs of the process and the resources used are within normal range. Management Practices
  • 6. 6  Improving: Making changes in the process to make it more suitable for the purpose, or to reduce usage of resources. Management Practices
  • 7. 7  Planning. Organizing and forecasting the amount, assignment and milestones of tasks, resources, budget, deliverables and performance of a process. Management Practices
  • 8. 8  Assessment. How well the process matches the organization's needs and compliance goals. Management Practices
  • 9. 9  Audit. Whether the process inputs, activities and results match their documentation. Management Practices
  • 10. 10  Certify: Whether the process inputs, process documentation, activities and results comply with a pre- defined standard, law or regulation. Management Practices
  • 11. 11  Benefits realization: Show how achieving security objectives contributes to achieving business objectives. Management Practices
  • 12. 12  The more sophisticated your management practices, the higher your capability. Management and Capability
  • 13. 13  Therefore, there is a strong link between the metrics used and capability. Management  You can perform few management practices without metrics.
  • 14. 14 Types of Process Metrics  A quantitative measurement that can be interpreted in the context of a series of previous or equivalent measurements  It is possible to audit the capability of a process checking the metrics used to manage it.
  • 15. 15 Types of Process Metrics  Activity: Number of outputs produced and their mean age.
  • 16. 16 Types of Process Metrics Scope: Percentage of all inputs producers covered by this process.
  • 17. 17 Types of Process Metrics  Unavailability: Number, frequency and duration of interruptions in the normal operation of the process.
  • 18. 18 Types of Process Metrics  Effectiveness: Number, mean time between inputs and percentage of Inputs that produce an Output.
  • 19. 19 Types of Process Metrics  Efficiency: Ratio between the number of outputs submitted and the available resources for this process in actual use.
  • 20. 20 Types of Process Metrics  Load: Percentage of resources reserved for the process in actual use.
  • 21. 21 Types of Process Metrics  Quality: Measure of the fitness for purpose of the outputs.
  • 22. 22  Description of what is measured  How is the metric measured  How often is the measurement taken  How are the thresholds calculated  Current range of values considered normal for the metric  Best possible value of the metric  Units of measurement Metrics Specification
  • 23. 23 What are metrics good for?  Enable performing management practices.  Determine whether security objectives are met (test success);  Show how security objectives contribute to business objectives;  Measure how changes in a process improve (or not) the ISM system;  Inform decisions to fix or improve the ISM processes.
  • 24. 24 What are metrics good for?  Detect significant anomalies (tell normal from abnormal, saving investigation efforts); Diagnosis Business Decision Fault in Plan-Do-Check-Act cycle leading to repetitive failures in a process Fix the process Weakness resulting from lack of transparency, partitioning, supervision, rotation or separation of responsibilities (TPSRSR) Fix the assignment of responsibilities Technology failure to perform as expected. Change / adapt technology. Inadequate resources . Increase resources or adjust security targets. Security target too high. Revise the security target if the effect on the business would be acceptable. Incompetence, dereliction of duty. Take disciplinary action. Inadequate training. Institute immediate and/or long-term training of personnel
  • 25. 25 Security Investment, Maturity Level & RiskN one B asic Level S M E Level eC om m erce Level E nterprise LevelM ilitary Level Security Investment Risk Risk Reduction/ Additional Security Investment ISM3 Maturity Levels (Qualitative Graphic. Risk Reduction / Extra Security Investment, scaled x40 for readability)
  • 26. 26 ISM3 Maturity Levels (examples)  ISM3 Basic Level - Significant risk reduction from technical threats, for a minimum investment in essential ISM processes.  For organizations with low Information Security Targets in low risk environments.  ISM3 SMEs Level - Highest risk reduction from technical threats, for a significant investment in Information Security processes.  For organizations with high Information Security Targets in normal or high-risk environments.  ISM3 Military Level - Highest risk reduction from technical and internal threats, for a high and optimized investment in Information Security processes.  For organizations affected by specific requirements (such as utilities, and financial institutions) with high Information Security Targets in normal or high-risk environments.
  • 27. 27 3 – Definición Objetiva de Madurez Indefinido Definido Gestionado Controlado Optimizado Prácticas de Gestión Documentación Actividad Alcance Disponibilidad Eficacia Carga Cobertura Calidad Eficiencia Optimización Evaluación Mejora de Calidad Planificación Racionalización Monitorización Pruebas Certificación Auditoria
  • 28. 28 ISM3 Capability Levels Capability Level Metrics Requirements Enabled Managed Practices Basic Documentation Audit and Certify. Defined Basic, plus Activity, Scope, Unavailability and Effectiveness Basic, plus Test Managed Defined, plus Load Defined, plus Monitor, Benefits Realization, Planning and removing weaknesses before they produce incidents, and getting feedback on the result of changes. Controlled Managed, plus Quality Managed, plus Assessment and removing bottlenecks that hamper performance. Optimized Controlled, plus Efficiency Controlled, plus finding points of diminishing return and making trade-offs.
  • 29. 29 Information Security that makes Business Sense inovement.es/oism3 Web www.inovement.es Video Blog youtube.com/user/vaceituno Blog ism3.com Twitter twitter.com/vaceituno Presentations slideshare.net/vaceituno/presentations Articles slideshare.net/vaceituno/documents
  • 30. 30 THANK YOU