Successfully reported this slideshow.
Your SlideShare is downloading.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
  • Be the first to comment

  • Be the first to like this

Metrics and Maturity

  1. 1. 1 Metrics and Maturity Cartagena de Indias © ISM3 Consortium 2009
  2. 2. 2
  3. 3. 3  Managing is achieving results with the resources available for it. There are specific activities for management that we will call “Management Practices”. Management
  4. 4. 4  Testing: Assessment of whether process outputs are as expected when test data is put in. Management Practices
  5. 5. 5  Monitoring: Checking whether the outputs of the process and the resources used are within normal range. Management Practices
  6. 6. 6  Improving: Making changes in the process to make it more suitable for the purpose, or to reduce usage of resources. Management Practices
  7. 7. 7  Planning. Organizing and forecasting the amount, assignment and milestones of tasks, resources, budget, deliverables and performance of a process. Management Practices
  8. 8. 8  Assessment. How well the process matches the organization's needs and compliance goals. Management Practices
  9. 9. 9  Audit. Whether the process inputs, activities and results match their documentation. Management Practices
  10. 10. 10  Certify: Whether the process inputs, process documentation, activities and results comply with a pre- defined standard, law or regulation. Management Practices
  11. 11. 11  Benefits realization: Show how achieving security objectives contributes to achieving business objectives. Management Practices
  12. 12. 12  The more sophisticated your management practices, the higher your capability. Management and Capability
  13. 13. 13  Therefore, there is a strong link between the metrics used and capability. Management  You can perform few management practices without metrics.
  14. 14. 14 Types of Process Metrics  A quantitative measurement that can be interpreted in the context of a series of previous or equivalent measurements  It is possible to audit the capability of a process checking the metrics used to manage it.
  15. 15. 15 Types of Process Metrics  Activity: Number of outputs produced and their mean age.
  16. 16. 16 Types of Process Metrics Scope: Percentage of all inputs producers covered by this process.
  17. 17. 17 Types of Process Metrics  Unavailability: Number, frequency and duration of interruptions in the normal operation of the process.
  18. 18. 18 Types of Process Metrics  Effectiveness: Number, mean time between inputs and percentage of Inputs that produce an Output.
  19. 19. 19 Types of Process Metrics  Efficiency: Ratio between the number of outputs submitted and the available resources for this process in actual use.
  20. 20. 20 Types of Process Metrics  Load: Percentage of resources reserved for the process in actual use.
  21. 21. 21 Types of Process Metrics  Quality: Measure of the fitness for purpose of the outputs.
  22. 22. 22  Description of what is measured  How is the metric measured  How often is the measurement taken  How are the thresholds calculated  Current range of values considered normal for the metric  Best possible value of the metric  Units of measurement Metrics Specification
  23. 23. 23 What are metrics good for?  Enable performing management practices.  Determine whether security objectives are met (test success);  Show how security objectives contribute to business objectives;  Measure how changes in a process improve (or not) the ISM system;  Inform decisions to fix or improve the ISM processes.
  24. 24. 24 What are metrics good for?  Detect significant anomalies (tell normal from abnormal, saving investigation efforts); Diagnosis Business Decision Fault in Plan-Do-Check-Act cycle leading to repetitive failures in a process Fix the process Weakness resulting from lack of transparency, partitioning, supervision, rotation or separation of responsibilities (TPSRSR) Fix the assignment of responsibilities Technology failure to perform as expected. Change / adapt technology. Inadequate resources . Increase resources or adjust security targets. Security target too high. Revise the security target if the effect on the business would be acceptable. Incompetence, dereliction of duty. Take disciplinary action. Inadequate training. Institute immediate and/or long-term training of personnel
  25. 25. 25 Security Investment, Maturity Level & RiskN one B asic Level S M E Level eC om m erce Level E nterprise LevelM ilitary Level Security Investment Risk Risk Reduction/ Additional Security Investment ISM3 Maturity Levels (Qualitative Graphic. Risk Reduction / Extra Security Investment, scaled x40 for readability)
  26. 26. 26 ISM3 Maturity Levels (examples)  ISM3 Basic Level - Significant risk reduction from technical threats, for a minimum investment in essential ISM processes.  For organizations with low Information Security Targets in low risk environments.  ISM3 SMEs Level - Highest risk reduction from technical threats, for a significant investment in Information Security processes.  For organizations with high Information Security Targets in normal or high-risk environments.  ISM3 Military Level - Highest risk reduction from technical and internal threats, for a high and optimized investment in Information Security processes.  For organizations affected by specific requirements (such as utilities, and financial institutions) with high Information Security Targets in normal or high-risk environments.
  27. 27. 27 3 – Definición Objetiva de Madurez Indefinido Definido Gestionado Controlado Optimizado Prácticas de Gestión Documentación Actividad Alcance Disponibilidad Eficacia Carga Cobertura Calidad Eficiencia Optimización Evaluación Mejora de Calidad Planificación Racionalización Monitorización Pruebas Certificación Auditoria
  28. 28. 28 ISM3 Capability Levels Capability Level Metrics Requirements Enabled Managed Practices Basic Documentation Audit and Certify. Defined Basic, plus Activity, Scope, Unavailability and Effectiveness Basic, plus Test Managed Defined, plus Load Defined, plus Monitor, Benefits Realization, Planning and removing weaknesses before they produce incidents, and getting feedback on the result of changes. Controlled Managed, plus Quality Managed, plus Assessment and removing bottlenecks that hamper performance. Optimized Controlled, plus Efficiency Controlled, plus finding points of diminishing return and making trade-offs.
  29. 29. 29 Information Security that makes Business Sense Web Video Blog Blog Twitter Presentations Articles
  30. 30. 30 THANK YOU

    Be the first to comment

    Login to see the comments


Total views


On Slideshare


From embeds


Number of embeds