Importance of metrics in an IT security program
IT security metrics are widely used as the primary tools for decision making and evaluating accountability in an organization by collecting key performance data, analyzing them and converted into various reports. Most of the time the analysis is done against the performance goals are set and IT security program.
The data collected from different sources should be quantifiable, obtainable and repeatable. It should also provide the relevant performance trends over time and the metrics derived should be useful for tracking the effectiveness of the entire IT security program.
The necessity for measuring IT security could be based regulatory , financial or organizational requirements. While regulatory needs are most often to satisfy regulations and compliance’s requirements, financial needs give the justification for current and future security investments. As a result security metrics helps decision makers to identify the proper areas of security investments and to ensure the best value from the security investments. As an organizational requirement measuring IT security helps to improve the accountability and build confidence in the program management team. It helps to determine the program effectiveness and to demonstrate the improvements to stakeholders. It also helps to initiate program improvement processes based on the level of current performance. Security metrics can be used as an input to do relevant and appropriate security procedure modifications and then to improve the customer confidence & maintain business relations.
IT security performance goals vs IT Security metrics (Relation between performance goals and security metrics)
The desired outcome of an IT security program is defined by the IT security performance. The performance objectives helps to attain the desired outcome by identifying scope, setting up strategies, plans, implementing policies, procedures, best practices and processes with a continuous implementation. IT security metrics monitor and measure the accomplishment of goals by quantifying the control objective implementations, techniques and efficiency of the controls. Analysis of collected metrics helps to determine the adequacy of implemented program and to take appropriate business decisions.
As an example, for a decision to implement the principle of least privileges in an organization as an IT security goal, percentage values such as number of systems where different techniques are applied to implement least privileges, can be one of the factors to determine the performance. Analysis such as systems or functional areas covered in an organization with a particular period of time or rate of implementation could be useful for taking appropriate business decisions.
To be most effective in an IT security program, for each of the IT security performance goals there should be appropriate IT security monitor goals.
IT Security metrics development steps
The IT security metrics development is given in 7 steps of two main categories.
1 Stakeholders interests
In an organization a stakeholder can be anyone who directly or indirectly related to any of the IT security processes, functions or results. However some organizational functions have greater stake than others such as CIO, Security program manager, System owner, HR personnel etc. Each stakeholder needs a set of metrics that provides a view of the organization’s IT security performance within their needs. Selecting the most critical elements of the organization’s IT security program during metrics prioritization will make the program manageable and successful.
2 IT security performance goals and objectives
IT security performance goals and objectives are expressed in the form of high level policies and requirements statements in many regulations and policies. Examples are Top 20 Critical controls from CIS (Center for Internet Security) and Federal Information Security compliance Audit manual (FISCAM)
3 IT Security Policies, Guidance and Procedures
Some of the agency specific policies and procedures provide detailed information specific to the category. Example NIST SP 800-12, 800-14
4 System Security Program Implementation
System security program implementation includes process and procedures in place, existing capabilities , areas of improvement , existing metrics etc. There may be documented in the sources such as system security plans, procedure handbooks, plan of actions and milestones, tracking of security related activities, risk assessment and penetration testing results etc.
5 Level of implementation
Most of the organizations are new to measuring IT security with performance metrics. They will begin measuring level of implementation by measuring the level of policies and procedure implementation. Instituting a metrics program is the first step to process maturity.
6 Security Program effectiveness and Efficiency
As an organization’s process maturity increases and performance data become more readily available, metrics will focus on program efficiency and effectiveness and is directly proportional to the organizational maturity.
7 Business Impact
Business impact can be measured through correlation analysis once an organization’s processes are self regenerating and measurement data gathering is transparent.