«

»

Jan
02

Security Metrics

From: HackingTheUniverse

It is a mantra of quality improvement methodology that you can’t manage what you don’t measure. Security metrics are the measurements that allow management of information security. As function and requirements change from network and organization to others, so will the requirements and design of security metrics change. But there are some standard and central concepts to build upon.

  1. Know your mission – this begins with the basic business missions that drive your organization and moves toward defining the metrics you want to use. Along the way, you will need to consider policies and procedures and how your security protections are built into your network. If you’re lucky, this was considered during the development of the network and some of the metrics were defined early and built into the processes and security controls.
  2. Develop a map – this should link your metrics to the goals and objectives that drive them and then allow them to be categorized. They may be linked to individual security controls or security processes or more general overall security goals.
  3. Prioritize – the most important management needs and protection requirements should be near the top of the list. High priority security protection areas need metrics that are commensurate with the need to protect. The same holds true for business functions. A priority should also be put on security controls that by their nature already collect the data needed for metrics, since they will be easy to implement.
  4. Set targets – the primary purpose of using metrics is to enable management and process improvement. This requires setting performance targets for each metric.
  5. Document – the definition, selection, prioritization and target setting processes must all be documented and analysis, reporting and archival processes need to be in place.
  6. Feedback and correct – analysis and reports must be tailored to the needs of the organization and directed to the appropriate contacts. Correctional action is another process, but metrics analysis reports must integrate tightly with it.

CONTINUOUS MONITORING
Continuous monitoring is about making sure that your security controls are doing their job effectively. Most if not all controls should be monitored in some way, but the time interval involved in checking them may vary greatly. Any security control that involves monitoring of the system (such as intrusion detection, vulnerability scanning, anti-virus and integrity checking…) is likely to be already producing the data needed to measure how effectively it is working. All you need to do is analyze, frame, and present it appropriately to turn that data into both continuous monitoring output and important security metrics.

SECURITY CONTROLS
(that most organizations should probably be monitoring)

  • CM-8 INFORMATION SYSTEM COMPONENT INVENTORY – know when inventory is changed or moved
  • RA-5 VULNERABILITY SCANNING – know which vulnerabilities are being found and when they are found
  • SI-4 INFORMATION SYSTEM MONITORING – an entire group of metrics is present in this one control and will likely need to be correlated into a “situational awareness” report
  • SI-3 MALICIOUS CODE PROTECTION – what is your AV finding and how often are the signatures updated
  • AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING – how often are log files analyzed and what is found
  • SI-2 FLAW REMEDIATION – know how your organization responds to vulnerabilities, how long it takes
  • IR-5 INCIDENT MONITORING – how many incidents are there, how are they resolved
  • CM-3 CONFIGURATION CHANGE CONTROL – how many changes are being made, what is the result
  • CA-5 PLAN OF ACTION AND MILESTONES – how long does it take to fix problems

SEE ALSO:
Continuous Monitoring

Leave a Reply

Please Answer: *