Security Metric of the Week #25: proportion of critical information assets residing on fully compliant systems In order to measure this metric, someone has to:   I dentify the organization's critical information assets unambiguously ; Determine or clarify the compliance obligations; Assess the compliance of systems containing critical information assets . All three activities are easier said than done.  In our experience, the concepts behind this metric tend to make most sense in those military and governmental organizations that make extensive use of information classification, but even there the complexities involved in measuring compliance with a useful amount of accuracy would make it slow and expensive.  Consequently, the l ow   A ccuracy,   C ost and   T imeliness scores all take their toll on the metric's  PRAGMATIC score: P R A G M A T I C Score 48 26 36 41 56 13 19 46 12 33%...

Security Metric of the Week #24: Traceability of information security policies, control objectives, standards & procedures This metric is based on the fundamental premise that all information security controls should be derived from and support control objectives, those being explicit business requirements for security.   Controls that cannot be traced to specific, documented requirements may not be justified, and may in fact be redundant and counterproductive: alternatively, the requirements may be valid but unstated, indicating a likely gap in the organization's policies etc . The metric implies that there should be a way of tracing, referencing or linking controls with the corresponding security requirements, in both directions: it should be possible for management to determine which control/s satisfy a given control objective, and which control objective/s are satisfied by a given control.  There are various ways of achieving this in practice, such as a 2-dimensio...

Having attended and spoken at ISACA's Oceania CACS conference in Wellington NZ the past 3 days, I noticed a few themes coming up repeatedly.  This piece expresses my personal perspective but I must stress that I didn't attend every session (not least because of the three parallel tracks) or speak to everyone of the 200-odd people present.  I'm sure other attendees would have their own opinions ... "Risk" remains a core concern.  Compared to risk, there was less discussion around controls to mitigate risks, and almost nothing was said on risk avoidance, risk acceptance and risk transfer.  Even IT audit seemed less prominent as a seminar topic than in ISACA conferences I have attended previously.  However, despite our common interest, "risk" clearly has different meanings to different professionals at the conference, and no doubt to many of our business colleagues.  I'm sure there were many misunderstandings as a result of subtly different interpretati...

Security Metric of the Week #23: Business Continuity Management (BCM) Maturity The high  PRAGMATIC score for this week's metric shows that we consider it a valuable measure of an organization's business continuity management practices: P R A G M A T I C Score 90 95 70 80 90 85 90 87 90 86% This metric is designed on exactly the same lines as the HR security maturity metric, SMotW #15 , using a maturity scoring table with predefined criteria for various aspects of business continuity management indicating various levels  of maturity. We are not going to give you the entire maturity scoring table now (you will have to continue waiting patiently for the book , I'm afraid) but here are two rows demonstrating the approach: No business continuity  management Basic business continuity  management Good business continuity  management Excellent business continuity  management Nothing even v...

Being naturally optimistic (or 'realistic' as I put it), I generally look on the bright side of life - cue Monty Python .  Where appropriate I'm happy to cut a few corners in the interests of saving time and effort, believing that on the whole things will work out just fine.   However, 'where appropriate' is an important caveat since, paradoxically, I'm also a perfectionist by nature,  which means not cutting corners but  doing things properly.   Yes indeed, there is conflict lurking deep in my psyche. Anyway, today this issue came to mind while reading the opinion accompanying a judgment on a legal case involving the (alleged) appropriation by a departing employee of his soon-to-be-former employer's proprietary information.   Please pore over the case notes for the full story and don't take anything I say as gospel, but for now suffice to say that the appeals court confirmed that there was no case to answer under the US Computer Fraud and Abuse Act (C...

September’s  security awareness module has a split personality, covering  oversight  in both senses of the word: 1) Casual errors and omissions are commonplace: these are  oversight incidents .  Whereas most are trivial, some oversights are more serious and costly.  The worst can literally be deadly - as suggested by the poster graphic above (one of six new designs in the module). 2) ‘Keeping an eye on things’ through supervision and various forms of reviewing and testing (such as the checklist shown on one of this month’s awareness posters) are  oversight controls .  The aim is to prevent, or at least spot and correct, errors and omissions before the damage is done.  Security awareness is our passion - it’s what we do.

Security Metric of the Week #22: Internal Rate of Return IRR is one of a number of financial metrics in our collection.  IRR measures the projected profitability of an investment, a proposed security implementation project for example.  If the IRR is greater than the organization's cost of capital, the project may be worth pursuing (unless there are limited funds available, and other proposals with even higher IRR or intangible benefits). Comparing IRR against other financial metrics is tricky.  For starters, we are not accountants, economists or financiers by training, and this stuff is hard !  Furthermore, different circumstances and different types of investment call for different metrics ... but arguably the most important factor is that organizations tend to rely on certain financial metrics to assess and monitor most of their projects.  Regardless of any technical arguments for or against using IRR as a metric, if management routinely uses it, there is und...