The Dirt on Information Security: Metrics

July 11, 2008

As Information Security professionals we often look beyond scorecards through to the nuts and bolts under the hood. We need metrics and we need them from two perspectives 1) to keep an eye on risks and vulnerabilities and 2) to measure and report our contribution to the business. You may be familiar with dashboards and SIM/SEM/SIEM but these solutions are not often enough deployed with the second perspective in mind.  Let’s take a look at some useful metrics for an ISMS based on ISO 27002 and where to get the metrics from.

Some of the metrics mentioned below may be automatically generated by software/systems, some may be calculated based on values stored in other systems, and any number of these input manually. The most common source happens to be the Risk Register which highlights the importance of successfully identifying risk. For example, a system acquisition may be baselined through Risk Assessment that in turn provides the basis for metrics. Also worth noting is that compliance is just another category of risk. Whilst it may be an important form of risk to be managed, it should be managed and measured in the same way as other risks.

Information Security Policy

Information Security Policy

  • Metric: Percentage (%) of each ISO 27001 section for which policies exist
  • Source: Information Security Scorecard and/or Risk Register

Organisation of Information Security

Internal Organisation

  • Metric: Percentage (%) of Business Units with assigned Information Asset  Owners
  • Source: Roles and Responsibilities Matrix and/or Asset Register

External Organisation

  • Metric: Percentage (%) of Third Party connections with accepted Risk Assessment
  • Source: Risk Register

Asset Management

Responsibility for Information Assets

  • Metric: Percentage (%) of assets with an assigned owner
  • Source: Asset Register

Information Classification

  • Metric: Percentage (%) of assets with an agreed classification
  • Source: Asset Register

Human Resources Security

Prior to Employment

  • Metric: Percentage (%) of employees (inc. contractors) that have been screened
  • Source: HR Database and/or screening service provider

During Employment

  • Metric: Percentage (%) of employees who have participated in security awareness
  • Source: HR Database and/or training service provider

Termination or Change of Employment

  • Metric: Percentage (%) of accounts belonging to terminated/moved employees
  • Source: Identity Management System (HR Database and Account Directories)

Physical and Environmental Security

Secure Areas

  • Metric: Percentage (%) of office sites with an up-to-date security plan
  • Source: Physical Security Reporting

Equipment Security

  • Metric: Percentage (%) of checks that have revealed unauthorised movement
  • Source: Physical Security Reporting

Communications and Operations Management

Operating Procedures and Responsibilities

  • Metric: Percentage (%) of production systems without critical/severe patches
  • Source: Patch Management System (e.g. Microsoft System Centre Operations Manager)

Third Party Service Management

  • Metric: Percentage (%) of third party connections with agreements and reporting
  • Source: Risk Register

System Planning and Acceptance

  • Metric: Trend of emergence and unsuccessful/reversed changes
  • Source: Change Register

Protection Against Malicious Code

  • Metric: Trend of malicious code detected and stopped
  • Source: Anti-X systems (e.g. email, web and desktop)

Backup

  • Metric: Percentage (%) of successful backups
  • Source: Backup systems (e.g. tapes and SQL Server)

Network Security

  • Metric: Trend of network security incidents
  • Source: Network infrastructure (e.g. firewall, IDS/IPS, routers/switches)

Media Handling

  • Metric: Trend of encrypted data transfers
  • Source: End Point security system (e.g. USB/CD port auditing)

Exchange of Information

  • Metric: Percentage (%) of Third Party links for which requirements have been met
  • Source: Risk Register

Electronic Commerce Services

  • Metric: Percentage (%) of online systems without critical/severe vulnerabilities
  • Source: Patch and Vulnerability Management systems

Monitoring

  • Metric: Percentage (%) of systems subject to active security monitoring
  • Source: Asset Management and Security Event Management system

Access Control

Business Requirements for Access Control

  • Metric: Percentage (%) of production systems with owners and role based rules
  • Source: Asset Register and Identity Management system

User Access Management

  • Metric: Percentage (%) of production systems with subject to recertification
  • Source: Identity Management system

User Responsibilities

  • Metric: Percentage (%) of job descriptions documented and accepted
  • Source: HR Database

Network Access Control

  • Metric: Percentage (%) of endpoints subject to network segregation
  • Source: Network infrastructure

Operating System Control

  • Metric: Percentage (%) of operating systems controlled by secure logon procedure
  • Source: Operating systems (e.g. Microsoft System Centre Operations Manager)

Application and Information Access Control

  • Metric: Percentage (%) of applications with a certified Access Control Plan
  • Source: Identity Management system (i.e. Role Management)

Mobile Computing and Teleworking

  • Metric: Percentage (%) of mobile and home workers in compliance with standards
  • Source: Risk Register

Information System Lifecycle

Security Requirements

  • Metric: Percentage (%) of production systems with documented requirements
  • Source: Risk Register

Correct Processing in Applications

  • Metric: Percentage (%) of production systems with adequate data validation
  • Source: Vulnerability Management system

Cryptographic Controls

  • Metric: Percentage (%) of production systems with compliant cryptography
  • Source: Risk Register

Security of System Files

  • Metric: Percentage (%) of production systems assessed as compliant
  • Source: Risk Register

Security of Development and Support Practices

  • Metric: Percentage (%) of production applications produced under version control
  • Source: Risk Register

Technical Vulnerability Management

  • Metric: Percentage (%) of online systems without critical/severe vulnerabilities
  • Source: Patch and Vulnerability Management system

Information Security Incident Management

Reporting Information Security Events and Weaknesses

  • Metric: Trend of observations received relating to information security
  • Source: Risk Register

Management of Information Security Incidents and Reports

  • Metric: Trend of significant information security breaches
  • Source: Risk Register

Business Continuity Management

Information Security Aspects of Business Continuity Management

  • Metric: Percentage (%) of Business Continuity Plans incorporating security
  • Source: Business Continuity Planning system

Compliance

Compliance and Legal Requirements

  • Metric: Trend of open and/or overdue legal compliance recommendations
  • Source: Risk Register

Compliance with Information Security Policies, Procedures and Standards

  • Metric: Trend of Information Security compliance review with no major violations
  • Source: Risk Register

Information Security Audit Considerations

  • Metric: Trend of open and/or overdue audit recommendations
  • Source: Risk Register
Posted by awrobinson
Filed in Management System
Tags: , , , , , , , , , , ,
2 Comments »

2 Responses to “The Dirt on Information Security: Metrics”

  1. A Model for Information Security Assurance « Information Security Says:

    July 25, 2008 at 1:11 pm

    [...] this space and in the mean time read blog posts on Information Security programme scorecards and metrics Posted by awrobinson Filed in Management, Standards Tags: assurance model, due diligence, [...]

    Reply
  2. Top 10 Blog Posts « Information and Technology Security Says:

    May 20, 2009 at 11:48 pm

    [...] The Dirt on Information Security: Metrics [...]

    Reply

Leave a Reply