Information Security Governance: Concepts, Security Management & Metrics

2. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) OxfordCambride.Org’s KeyPoints and Study Notes ☺ There is a publication in the format of study notes, to go with these KeyPoints. ☺ In this Study Notes publication, the KeyPoints of this current PowerPoint presentation are developed in details. ☺ Both KeyPoints and Study Notes files bear the same. ☺ Check the Documents section of the SlideShare site to find the Study Notes. ☺ KeyPoints publications are located in the Presentations section of the SlideShare site.

3. Contact Email Design Copyright 1994-2017 © OxfordCambridge.Org(This picture: Trinity College, Cambridge)IT Information Security +W Series-Technology Skills For Women Men too are allowed to read this, if they wish to do so, as the language style and the document format are universal.

4. Contact Email Design Copyright 1994-2017 © OxfordCambridge.Org(This picture: Trinity College, Cambridge)IT Information Security To introduce the reader or the learner to Concepts, Management, Metrics as elemements of Information Security Governance. Aim of Publication:

5. Contact Email Design Copyright 1994-2017 © OxfordCambridge.Org(This picture: Trinity College, Cambridge)IT Information Security #1 Information Security Governance: Concepts & Management Metrics (beta) Introductory concepts @ OxfordCambridge.Org all for free and free for all. The information gathered here is under KeyPoints format and may be use: - Either to give the reader an overview before deciding for a full scale study of the topic. - Or act as a study guide for learners in expanding their knowledge on the given topic. Some recommendations, perhaps: - Identify each KeyPoint on which you feel a need to expand your knowledge, - Choose a good book /ebook or academic journal or Internet infos. - And then work towards gaining that knowledge, at your own pace. Please enjoy!

6. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) Information Security Governance - Concepts, Management, Metrics – Introduction. ☺ The goal of information security governance is to establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives, and consistent with applicable laws and regulations. ☺ Therefore, this publication looks at the role of information security governance in an organization, the need for senior management support for all policies and procedures that are put in place. ☺ This publication is the first of three publications dealing with the concepts of the information security governance.

8. Contact Email Design Copyright 1994-2017 © OxfordCambridge.Org(This picture: Trinity College, Cambridge)IT Information Security Information Security Governance - Concepts, Management, Metrics: Learning Objectives. After developing the KeyPoints outlined in this publication, you should mainly be able to:  Identify the tasks within the information security governance job practice area.  Recognize the outcomes of information security governance.  Recognize the difference between corporate governance and information security governance.  Identify senior management roles with their corresponding responsibilities.  Identify the elements of the information security business model.  Recognize the interconnections between the elements of the information security business model.  Identify the optimal reporting relationship between senior management and the information security manager.  Understand reports about information security within an organization.  Identify the goal of converging security-related functions.  Identify categories of key goal indicators.

9. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) Information Security Governance - Concepts, Management, Metrics – Summary. ☺ This publication looks at the role of information security governance in an organization, the need for senior management support for all policies and procedures that are put in place. ☺ You will discover the importance of information security governance in an organization and the tasks within this practice area. ☺ It will also help you identify the senior management responsibilities related to information security governance. ☺ Additionally, it highlights the information security business model and the relationship between senior management and the information security manager. ☺ Finally, it describes information security governance metrics and highlight their need for measuring information security activities.

10. Contact Email Design Copyright 1994-2017 © OxfordCambridge.Org(This picture: Trinity College, Cambridge)IT Information Security Information Security Governance - Concepts, Management, Metrics - Sections List.  (Section 1) Introduction to Information Security Governance.  (Section 2) Senior Management and Information Security Governance.  (Section 3) Business Model for Information Security.  (Section 4) Practicing Information Security Governance Concepts.  (Section 5) Corporate Support for Information Security.  (Section 6) Information Security Convergence.  (Section 7) Information Security Governance Metrics.  (Section 8) Practicing Information Security Responsibilities.

12. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 1) Introduction to Information Security Governance – Summary. ☺ Information security governance is a set of procedures and duties performed by the executive management and board of directors. ☺ This involves achieving information security objectives and giving planned direction. ☺ It also ensures that the organization's information resources are used efficiently and security risks are managed in the proper manner. ☺ Effective information security governance provides many benefits, such as accountability for protecting information during important business activities, reducing the impact of security incidents, and reducing risks to tolerable levels. ☺ Effective information security governance provides six basic outcomes - strategic alignment, value delivery, risk management, performance measurement, resource management, and integration.

13. Contact Email Design Copyright 1994-2017 © OxfordCambridge.Org(This picture: Trinity College, Cambridge)IT Information Security (Section 1) Introduction to Information Security Governance – HighPoints.  Tasks at Hand.  Importance.

14. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 1) HighPoints: Tasks at Hand. ☺ Ensure information security strategies are aligned with business goals and objectives. ☺ Create and execute an information security strategy. ☺ Achieve the organization's information security goals and objectives. ☺ Formulate a strategic direction for information security activities. ☺ Establish and maintain information security policies to communicate management's directives. ☺ Guide the development of standards, procedures, and guidelines. ☺ Ensure the efficient utilization of information resources. ☺ Manage the risks related to information security.

15. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 1) HighPoints: Importance. ☺ Growth of information technology has made information a key asset for any business. ☺ Relying heavily on information in digital form to conduct their business. ☺ Information and other intangible assets comprise almost 80% of some companies’ market value. ☺ Dependency on information continues to increase, so does potential for criminal activity too. ☺ Necessity for organizations to address information security at highest level. ☺ Information security should be treated as a governance function at board level. ☺ Main purpose of information security governance: ensure safety of information. ☺ Information security governance protects information from loss, misuse, unauthorized usage, and destruction. ☺ Effective information security governance provides organizations with many benefits.

16. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 1) HighPoints: Basic outcomes. ☺ To be effective, information security governance needs to provide six basic outcomes; at least. ☺ Strategic alignment means ensuring information security strategy meets business goals and objectives. ☺ Value delivery indicates optimal security investments to support these goals and objectives. ☺ Risk management for reducing risks and their likely effects on information to an acceptable limit. ☺ It's important information security processes are monitored, and associated results are reported to ensure organizational goals are met. ☺ This monitoring and reporting is called performance measurement which requires a set of definite and approved metrics. ☺ It is essential to make effective use of information security infrastructure and knowledge: resource management. ☺ To integrate significant assurance functions to ensure information security processes work as expected.

17. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 2) Senior Management and Information Security Governance – Summary. ☺ Information security governance is a board-level activity and is an integral part of corporate governance. ☺ Corporate governance is a set of procedures and duties performed by the board of directors and executive management to direct and control an organization. ☺ Information security governance involves implementing and managing information security. ☺ For information security governance to be effective, the board of directors or senior management must be actively involved in it.

18. Contact Email Design Copyright 1994-2017 © OxfordCambridge.Org(This picture: Trinity College, Cambridge)IT Information Security (Section 2) Senior Management and Information Security Governance – HighPoints.  Corporate and Information Security Governance.  Senior management responsibilities.

19. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 2) HighPoints: Corporate and Information Security Governance. ☺ Increasing risks to information support needs to make information security an important part of the organization's governance structure. ☺ Board of directors should make information security governance an integral part of corporate governance. ☺ Executive management should ensure the effective implementation of the information security governance structure. ☺ Corporate governance is a set of procedures and duties performed by board of directors and executive management to direct and control an organization. ☺ Information security governance is a subset of corporate governance. ☺ Information security governance is concerned with policies and controls related to protecting information in same organization. ☺ Corporate governance deals with issues that involve transparency in business operations. ☺ Information security governance deals with security activities and mitigating risks to organizational information. ☺ To ensure effectiveness of information security governance, executive management should develop a security governance framework.

20. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 2) HighPoints: Senior management responsibilities. ☺ Information security governance is one of the primary responsibilities of board of directors and executive management. ☺ Members of executive management implement information security governance effectively and identify strategic information security objectives. ☺ Executives provide leadership and continuous support to people involved in implementing information security. ☺ Steering committee aims to involve all stakeholders influenced by security aspects by helping to achieve organizational consent over priorities related to information security. ☺ ISO (Information Security Officer) develops an information security strategy and gets it approved by senior management. ☺ The ISO ensures commitment of senior management at all stages of information security governance. ☺ (S)he establishes reporting and communication channels in entire organization to make sure that information security governance is effective.

21. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 3) Business Model for Information Security – Summary. ☺ Organizations can integrate their key business processes by using GRC (Governance, Risk management, Compliance). ☺ Governance must be established before implementing Risk management and enforcing Compliance for effective information security. ☺ Apart from GRC, information security makes use of the systems theory that enables information security managers to clearly define and develop security models. ☺ Based on the systems theory, there is an information security business model that helps to understand complex relationships in organizations for managing security effectively. ☺ This model is made up of four elements that are linked with six dynamic interconnections. ☺ Elements are: organization, people, process, technology. ☺ Dynamic interconnections are: governance, culture, enablement and support, emergence, human factors, architecture.

22. Contact Email Design Copyright 1994-2017 © OxfordCambridge.Org(This picture: Trinity College, Cambridge)IT Information Security (Section 3) Business Model for Information Security – HighPoints  Elements of the model.  Interconnections between elements.

23. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 3) HighPoints: Elements of the model. ☺ GRC covers many interconnected activities of an organization: e.g. incident management, enterprise risk management, ERM, operational risk, internal audits, compliance programs, several other activities. ☺ GRC consists of three processes: Governance, Risk Management, Compliance. ☺ Risk management helps to create and implement methods for mitigating risks. ☺ Compliance is the process to supervise the controls and methods that ensure adherence to organizational policies, standards, and procedures. ☺ All of the three GRC processes are interdependent and influence one another. ☺ In addition to GRC, information security governance uses Systems Theory to manage security within organizations. ☺ Continues …

24. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 3) HighPoints: Elements of the model … continued. ☺ Systems Theory can be defined as a network of processes, people, technologies, relationships, events, reactions, and results that interact with each other to achieve one common goal. ☺ Systems Theory brings a number of benefits to information security governance. ☺ Based on Systems Theory, there is an Information Security Business Model that helps understanding complex relationships in organizations to effectively manage information security. ☺ The four elements of the model: Organization Design and Strategy, People, Process.

25. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 3) HighPoints: Interconnections between elements. ☺ The elements of Information Security Business Model are linked through six dynamic interconnections to ensure each element aligns with business goals and objectives. ☺ They are: Governance, Culture, Enablement and Support, Emergence, Human Factors, Architecture. ☺ The governance interconnection links the organization and process elements. ☺ Governance connects an organization and its processes, but Culture links the organization to its people. ☺ Enablement and Support links the technology and process elements, as it involves creating security policies, guidelines, and standards that support business needs. ☺ Emergence links the people and process elements, as it indicates patterns in the life of organizations that emerge and develop without clear reason, which have results that are difficult to foresee and control. ☺ Continues …

26. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 3) HighPoints: Interconnections between elements. … continued. ☺ People are linked with technology through Human Factors interconnection indicating the interaction and gap between these elements. ☺ Technology is also with the organization where it is used; the Architecture interconnection establishes this link. ☺ To understand the need for information security and create a security architecture, it's important to have a strong business information architecture in place.

27. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 4) Practicing Information Security Governance Concepts – Summary. ☺ This section comprises a series of exercises, to practice recognizing key concepts of information security governance, the management roles associated with it, and the business model for implementing it. ☺ This involves few tasks: identifying need for information security governance; recognizing management responsibilities related to information security governance; identifying elements and their interconnections in the information security business model.

28. Contact Email Design Copyright 1994-2017 © OxfordCambridge.Org(This picture: Trinity College, Cambridge)IT Information Security (Section 4) Practicing Information Security Governance Concepts – HighPoints.  Quizz - Identifying need.  Quizz - Recognizing management roles.  Quizz - Identifying elements & interconnections.

29. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 5) Corporate Support for Information Security – Summary. ☺ To have a successful security program in the organization, ISM needs to ensure that senior management is committed to the program. ☺ To obtain senior management support, you can create a formal presentation covering important aspects of information security. ☺ ISM can use business cases to ensure better understanding of information security. ☺ Additionally, (s)he should ensure that employees also support the security program. ☺ After obtaining senior management commitment, ISM should provide periodic reports to senior management about the current state of information security program. ☺ (S)he ensures all stakeholders are aware of information security programs, via formal and informal information reporting structures for specific groups (senior management, employees, process owners, other management).

30. Contact Email Design Copyright 1994-2017 © OxfordCambridge.Org(This picture: Trinity College, Cambridge)IT Information Security (Section 5) Corporate Support for Information Security – HighPoints.  Optimal reporting relationship.  Communication and reporting channels.

31. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 5) HighPoints: Optimal reporting relationship. ☺ Increasing use of information technology to access, process, store, and share information brought several benefits and opportunities for organizations. ☺ However, using information technology has also made information more vulnerable to misuse and damage. ☺ Firms are recognizing the need to protect information assets, and manage such activities by employing dedicated Information Security Managers. ☺ Information Security Managers act as process owners for ongoing activities that help organizations protect confidentiality, integrity, availability of their information assets. ☺ Organizations have information security managers at different levels in the reporting hierarchy. A good percentage of information security managers report to chief executive officers (CEOs), another to chief information officers (CIOs), and some to a board of directors. ☺ For an information security manager role, the title could be chief security officer (CSO), or chief information security officer (CISO), who reports to the company's CEO. ☺ Continues …

32. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 5) HighPoints: Optimal reporting relationship. … continued. ☺ Such reporting structure is considered optimal because it allows direct interaction between information security managers and CEOs. ☺ This structure leads to direct alignment of security objectives with business goals. ☺ In some structures the IT manager acts as information security manager may be adequate for security activities implementation. ☺ Nevertheless, it’s considered suboptimal because information security managers cannot interact directly with CEOs. ☺ Also, objectives of the information security manager often conflict with the IT manager's goals. ☺ More importantly, without senior management support, information security programs are likely to fail. ☺ To gain senior management commitment to the security program, information security managers need to educate them about benefits of information security. ☺ In addition to senior management, there is a need to convince employees about the benefits of information security, too.

33. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 5) HighPoints: Communication and reporting channels. ☺ An information security manager is responsible for ensuring that all stakeholders (senior management, employees) are aware of existence of information security governance structure. ☺ Proper reporting and communication channels ensure all stakeholders receive necessary information. ☺ Information security managers need to achieve well-organized communication channels. ☺ Creating a formal reporting procedure and providing periodic reports to senior management on the performance of information security management is a must. ☺ Aside formal reporting, regular reporting of information security is critical for the smooth working of security programs; but not be very formal. ☺ Target groups are those dealing with specific security-related issues in the organization: business process owners, senior management, employees, department heads, supervisors, line managers.

34. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 6) Information Security Convergence – Summary. ☺ Security convergence helps to bridge gaps resulting from the segmentation of security-related functions; and this is achieved by integrating different assurance processes within organization. ☺ It prevents security overlaps across different functions, while ensuring well-defined roles and responsibilities. ☺ Security convergence aligns the security activities with business goals to deliver shareholder value. ☺ It aligns the security activities with business goals to deliver shareholder value. ☺ Without security convergence, organizations may ignore interdependency of risks, sub-optimize the cost of dealing with risks, and allow use of inconsistent language and terminology across different reporting structures. ☺ Several factors have contributed to the adoption of security convergence: technological development is obscuring the boundaries between information and physical security functions. ☺ Security convergence is necessary because of new business threats, the need to create a systematic approach to minimize risks and maximize resource utilization, and an increase in information-based assets.

35. Contact Email Design Copyright 1994-2017 © OxfordCambridge.Org(This picture: Trinity College, Cambridge)IT Information Security (Section 6) Information Security Convergence – HighPoints.  Understanding security converge.  Benefits of security convergence.  Overlapping of information security and physical security.  Merging information security functions.  Holistic approach to security.

36. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 6) HighPoints: Understanding security convergence. ☺ It is not uncommon in organizations that different security-related activities come under different types of security functions. ☺ Information security and physical security are distinct security functions in an organization. When you combine these functions under a common head, the process is called security convergence. ☺ Security convergence is integrating the organization's assurance processes: such as change management, risk management, human resources, audits, compliance. ☺ The main objective of security convergence is to reduce the gaps resulting from the segmentation of various security-related functions in an organization. ☺ These gaps arise because the security functions are generally interdependent. ☺ There are professional organizations that support convergence – ASIS (Information Systems Security Association, known also under ISSA), ISACA (Information Systems Audit and Control Association). ☺ They established the Alliance for Enterprise Security Risk Management (AESRM), to encourage security professionals to converge security functions within their organizations.

37. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 6) HighPoints: Benefits of security convergence. ☺ Gaps arise due to security functions being generally interdependent. ☺ Security convergence prevents security overlaps across different functions; and reduces the number of security functions, thus making it easier to follow and manage and providing a streamlined security process. ☺ Security convergence also ensures well-defined roles and responsibilities to reduce issues like ineffective communication and duplication of work. ☺ Moreover, security convergence takes care of all assurance functions while implementing a security strategy. ☺ In turn, this helps evaluate the phases of the business process, and minimizes the gaps resulting from segmented security functions. ☺ Also, it aligns the security objectives to business goals. ☺ When information sharing is involved, implementing security convergence helps coordinate actions to manage risks.

38. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 6) HighPoints: Overlapping of information security and physical security. ☺ Information security is generally affected by the physical aspects of security (physical security) of organizations. ☺ Physical security measures prevent unauthorized access to an organization’s critical data. ☺ With advanced technologies, critical data can also be accessed remotely; thus physical security alone is insufficient to secure information. ☺ Strong information security is also needed to secure critical data and applications in organizations. ☺ While physical security and information security are interdependent, they have different goals; physical security functions focus on authorizing physical access to organizations, whereas information security functions focus on securing network and information data.

39. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 6) HighPoints: Merging information security functions. ☺ If information and physical security work in isolation, security gaps are bound to occur. ☺ Would proper physical security measures be taken for authorized physical access to buildings, while measures to prevent unauthorized remote access are not taken, critical business data is at risk then. ☺ To prevent such gaps, physical and information security functions need to work in close coordination. ☺ And to ensure coordination between all security functions, implementing security convergence is required. ☺ AESRM (Alliance for Enterprise Security Risk Management) encourages security professionals to converge security functions. ☺ Security professionals merge security functions because several issues exist when security is fragmented in organizations. ☺ Due to this overlap, the functional boundaries between information and physical securities become less distinct and require security convergence.

40. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 6) HighPoints: Holistic approach to security. ☺ When complexity of business transactions increases, it becomes difficult to keep to defined regulatory and compliance guidelines. ☺ Therefore, security managers must view and assess organizational risks at a global level, hence the demand for security convergence. ☺ With complex organizational charts and business transactions, it became difficult to maximize security resources and minimize associated risks. ☺ Therefore, applying security convergence with a risk-based approach, one can budget for most critical risks that reduce the overall cost of implementing security and increase the efficiency of security resources. ☺ Instead of using security convergence, security professional would follow a fragmented approach to security, then the possible security incidents would increase financial risk, reputation risk, and risk to public good. ☺ On the contrary, a holistic approach focuses on factors (organizational structure, processes, and cultures) in addition to assets. ☺ Continues …

41. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 6) HighPoints: Holistic approach to security. . … continued. ☺ Of course, this requires a management change that gives people the authority to prevent possible risks. ☺ An effective approach to security convergence should bring together people, technology, processes in any organization. ☺ This way, business becomes secure and organizations are enables to deal with any security incidents by quickly detecting, responding, and finally recovering from them.

42. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 7) Information Security Governance Metrics – Summary. ☺ Security metrics help measuring security or risks based on the desired outcomes of the security program. ☺ A good metric is specific, measurable, and attainable. ☺ Effective security metrics provide information specific to roles and responsibilities, so that senior management can use it for decision making. ☺ Measures like security metrics, technical metrics, vulnerability scans, and audit and risk assessment activities help to understand the level of security in organizations. ☺ Additionally, information security professional can use metrics (ROSI, VAR, ALE) to measure various security aspects. ☺ However, these metrics alone don’t provide enough information to make concrete security decisions. ☺ This leads to the need for effective information security governance metrics, which use technical data to measure how close the information security governance program is to the defined objectives. ☺ The best information security governance metrics include KGIs, KPIs. ☺ KGIs specify what is to be achieved or the desired outcome while KPIs provide the measure of performance.

43. Contact Email Design Copyright 1994-2017 © OxfordCambridge.Org(This picture: Trinity College, Cambridge)IT Information Security (Section 7) Information Security Governance Metrics – HighPoints.  Need for security metrics.  Technical metrics.  Security metrics.  Other metrics.  Effective information security governance metrics.  Organizational business goals  Risk management.  Manage information security resources.

44. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 7) HighPoints: The need for metrics. ☺ Metrics refer to standard measures that help evaluate the performance of a specific attribute based on a reference point. This reference point indicates the desired outcome of an activity. ☺ The main purpose of any metric is to support the decision-making process. ☺ For effective information security governance, it is good to have security metrics that can measure the performance of security activities. ☺ Effective security metrics should provide information specific to the roles and responsibilities of security functions so that senior management can use them while making decisions. ☺ Presenting appropriate metrics not only helps to gain senior management support, but also enables information security managers to obtain sufficient budget and resources to support your security program. ☺ Using criteria to determine if a metric is appropriate for a task is necessary and criteria are used to make sure metrics are meaningful, accurate etc.

45. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 7) HighPoints: Technical metrics. ☺ Usually, management focuses on gathering technical metrics: the number of antivirus programs, type of firewalls used, capacity of data storage systems etc. ☺ Such metrics provide information on the IT security infrastructure but are no help in the overall management of the information security program. ☺ Indeed, Technical metrics can help IT personnel in resolving day-to-day operational issues related to the use of security infrastructures, but don't provide information on how well information security risks are managed. ☺ Moreover, technical metrics fail to address key information security objectives.

46. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 7) HighPoints: Security metrics. ☺ Security metrics provide valuable information about security aspects. ☺ These would include metrics such as the number of security breaches, incidents logged, vulnerabilities detected during virus scans, downtime due to server failure or virus attacks, and recovery period. ☺ If these metrics might indicate the effectiveness of security infrastructure to some extent, they wouldn't provide any information for helping management make decisions on strengthening information security. ☺ Many organizations also conduct regular audits and comprehensive risk assessment programs to identify gaps in information security. ☺ Although these measures could help in identifying the previously existing information security infrastructure, they alone won't help management make security decisions.

47. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 7) HighPoints: Other metrics. ☺ While it may not be possible to ensure absolute information security, information security managers might get valuable information about security measures by using other metrics. ☺ These other metrics could help estimate security in terms of effects and outcomes, probabilities, and attributes. ☺ They are: Return on Security Investment(ROSI), Value At Risk ( VAR), Annual Loss Expectancy (ALE).

48. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 7) HighPoints: Effective information security governance metrics. ☺ Although many security metrics and activities are available, none provides any detailed information about the management of risks, alignment of security objectives with business objectives, or progress of the security program. ☺ Neither do these metrics or activities provide enough information that can be used to determine exactly how secure the organization is. ☺ This generates the need for effective information security governance metrics. ☺ Effective information security governance metrics use technical data to measure how close the information security governance program is to its objectives. ☺ The main components of information security governance metrics are high- level senior management support, measurable performance metrics, security policies and procedures with commitment from the enforcing authority, and result-oriented metrics analysis. ☺ The two most useful types of metric are key goal indicators (KGIs), and key performance indicators (KPIs.) ☺ KGIs and KPIs help identify if the defined objectives are met, and also provide information about achieving process and service goals.

49. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 7) HighPoints: Organizational business goals ☺ Organizations’ business goals are key reference points for measuring the cost effectiveness of information security activities. ☺ In order to validate the alignment of security activities with business goals, information securities need to develop a security strategies that uses business language to define security objectives. ☺ Such security objectives will cover all phases from planning to implementation of processes, procedures, policies, standards, technology. ☺ When security activities are aligned with business goals, that helps deliver value to business by optimizing the cost of security and using controls that meet acceptable risk levels. ☺ Then the value delivery indicates the cost effectiveness of security activities that are closely tied to business goals. ☺ There are Key Indicators for alignment of security activities with business goals.

50. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 7) HighPoints: Risk management. ☺ Risk management stands as another key goal indicator (KGI) of security metrics. ☺ This KGI is the process that manages and minimizes risks in an organization with the intent of achieving defined business goals. ☺ Risk management is a part of information security governance, and when implementing a risk management program, it may not be possible to measure its strength. ☺ When implementing a risk management program, it may not be possible to measure its strength. ☺ However, you can find out if the program is proceeding as expected and resources are allocated appropriately by setting the objectives and expectations. ☺ A successful risk management program provides measures to reduce the harmful effects of security incidents on the organization to a level acceptable for business goals. ☺ Risk management objective is to minimize the impact of computer security incidents in organizations, and to do so, information security managers ensure several security measures are implemented (e.g. installation of antivirus programs, etc.).

51. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 7) HighPoints: Manage information security resources. ☺ In addition to managing risks, information security managers need to organize information security resources (people, processes, technologies) for effective information security. ☺ Resource management’s purpose is to minimize costs and maximize efficient utilization of these resources. ☺ Inconsistent controls and poorly defined processes likely increase administrative and training costs while indicating inefficient resource management. ☺ Information security managers must develop security metrics that are aligned to resource management objectives. ☺ Effective resource management in organizations is visible with signs of: absence of frequent problem rediscovery, usage of security resources to safeguard information assets from threats, etc.

52. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 8) Practicing Information Security Responsibilities – Summary. ☺ Learn to recognize key concepts related to information security management. ☺ This involves recognizing the optimal reporting relationships, identifying key security metrics, and converging security-related functions.

53. Contact Email Design Copyright 1994-2017 © OxfordCambridge.Org(This picture: Trinity College, Cambridge)IT Information Security (Section 8) Practice - Achieving effective information security – HighPoints.  Achieving effective information security.  Context for Quizzes.  Quizz 1. (See more in Study Notes).  Quizz 2. (See more in Study Notes).  Quizz 3. (See more in Study Notes).

54. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 8) HighPoints: Context for Quizzes. ☺ Valentina an information security manager in an organization and want to have effective information security in the organization. ☺ For this, she wants to implement the best reporting structure, develop metrics to assess the effectiveness of information security strategy, and converge security-related functions in the organization.

55. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 8) HighPoints: Quizz 1. ☺ The senior management in your organization is headed by a president. The IT managers, senior project managers, chief technology officer, and other functional managers report to the president. ☺ Valentina wants to establish a reporting structure that helps you avoid any conflict of interest and achieve effective information security. ☺ Select the position description for Valentina’s role that indicates the best reporting structure (See more in Study Notes).

56. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 8) HighPoints: Quizz 2. ☺ The organization provides online banking services to its customers and its goal is to protect customers' account information and provide safe transaction modes. ☺ Valentina wants to implement an information security strategy in the organization, and for that she wants to use several metrics to assess the effectiveness of her information security strategy. ☺ Match each category of metrics to its examples (See more in Study Notes).

57. Contact Email Design Copyright 1994-2017 © OxfordCambridge.OrgIT Information Security (This picture: Harcourt Hill, West Oxford) (Section 8) HighPoints: Quizz 3. ☺ Valentina also want to converge security-related functions in the organization to bridge the gaps that result by segmenting these functions. ☺ What are the keys to effective information security convergence? (See more in Study Notes).

Information Security Governance: Concepts, Security Management & Metrics

Marius Faillot-Devarre

Information Security Governance: Concepts, Security Management & Metrics