Metrics

How do you measure information security metrics in your organization?  Are you showing value for your purchases?  Can you demonstrate correlations between process improvements and metrics? Have you been able to justify your information security organization? Are your metrics timely in their delivery? Are you looking to create an information security organization that is built on the use of metrics that identifies the adequacy of in-place security controls, policies and procedures?

Metrics are a system of parameters or ways of quantitative and periodic assessment of a process that is to be measured, along with the procedures to carry out such measurement and the procedures for the interpretation of the assessment in the light of previous or comparable assessments.  Security organizations are required to collect and report performance metrics and measures to demonstrate compliance with laws and regulations, improve accountability for their programs, and advance efficiencies in delivering programs and services to the public. Information security is one of the functions that companies are required to report to demonstrate their ability to appropriately protect sensitive and proprietary information that corporate systems store, process, and transmit. In addition to regulatory compliance reporting, companies are using performance metrics and measures as management tools in their internal improvement efforts and linking implementation of their programs to corporate-level strategic planning efforts.

 Collecting, centralizing, and analyzing security metrics is critical to understand and manage evolving security requirements in the enterprise. InfoSec leaders should ensure that the metrics they collect are useful and understandable, and communicate with other executives to ensure that they are being properly interpreted and that they show return on your security investments.

Security programs gather volumes of data every day. If we gather the right information, we generate unique and informative data that, for example:

Defines what, where and how risk is occurring

Emphasizes the accountability of business management for safeguarding the organization's assets

Directly aids in measuring service quality and customer satisfaction

Provides measurable support for new and existing programs

Contributes to a variety of value-based assessments

Demonstrates the value of newly deployed tools that start new trends and analysis

Leads to other process and procedure enhancements that can track against the metrics

Can be measured against overall corporate security maturity and demonstrate either enhancements to or detractors from your overall security posture

Treadstone 71 will help you decide where to invest additional information security protection resources and identify and evaluate nonproductive controls.  We will help you explain the metric development and implementation process and how it can also be used to adequately justify security control investments.

The results of an effective information security metric program designed by Treadstone 71 can provide useful data for directing the allocation of your information security resources.

The Treadstone 71 Security Metrics Service is designed to:

  • Facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data;

  • State the desired results of a system security program implementation;

  • Enable accomplishment of goals by identifying practices defined by security policies and procedures that direct consistent implementation of security control across the organization;

  • Monitor the accomplishment of the goals and objectives by quantifying the level of implementation of the security controls and the effectiveness and efficiency of the controls, analyzing the adequacy of security activities and identifying possible improvement actions.

Treadstone 71 Security Metric Services will help you identify and prioritize the measurable aspects of your information security program as it corresponds to the operational priorities of your organization.

Contact Treadstone 71 to learn how we can help you determine the return on investment of your Information Security program.  Call today 1-888-687-8450 or email us at info@treadstone71.com

Home

Copyright 2003 Treadstone 71 info@treadstone71.com

ISO17799, OCTAVE, CISSP, CISM, Sarbanes Oxley, SOX, CobiT, 27001, ISMS, ISO-27001, ISO 27001, ISO27001, 27005, 27002, GRC, prevention, 17799, proactive, FISMA, defense in depth, arabic, jihadi, cyber jihad, cyber terrorism, holistic security, 201 CMR 17, governance, risk, compliance, Jeff Bardin, Wireless Security, CMM, ITIL, ITSM, Sarbanes Oxley, security awareness, risk, threat, threat matrix, security metrics, ISO1779 training, 21 CFR 11, NSA IAM, BITS, risk management, security in the sdlc, secsdlc, security program, security strategy, business impact analysis, Treadstone 71, bourne, CISM, penetration testing, risk, GRC, detective controls, preventative controls, HIPAA, GLBA, Graham-Leach-Bliley, SAS 70, intrusion detection, interim CISO, interim CIRO, CIRO, CISO, chief security, FFIEC, financial services, trust, continuity, risk assessment, maturity, vulnerability scans, data classification, assessments, disaster recovery, homeland security, security metrics, rosi, roi, training, security posture, threat vulnerability pairs, vulnerability management, security services, information security, risk management, business risk, controls, holistic security, defense in depth, Governance, Risk and Compliance, information risk management