Why Measurement of Information Security is so Important and challenging?
In today’s edge, businesses are going global across the world. In this
competitive environment, organizations are creating, collecting and receiving
lot of information through various channels such as analyzing social media,
research, survey, outsourcing business process to another country. Many
organizations are dealing with HUGE VOLUME OF INFORMATION rather I would say
SENSETIVE INFORMATION.
Today many organizations are investing huge amount to ensure
CONFIDENTIALITY, INTEGRITY and AVAILABILITY of such Information.
These investments could be in terms of:
- Hiring
competent people
- Establish
workflow terms of IT as well as INFORMATION SECURITY related processes
- Procuring
secured technology
- Third party
assurance on organization’s INFORMATION SECURITY practices
- Spending
lot of time as INFORMATION SECURITY needs checks and balances
With such huge investment in INFORMATION SECURITY, board of directors
are more concerned about the effectiveness of implementation of INFORMATION
SECURITY practices to protect SENSITIVE INFORMATION. Such huge investment has
NO VALUE if there is no reasonable assurance on implemented practices from an
Independent IS Auditor.
Many organizations are now more concerned about the overall “Health of
Information Security Management System”. Board of directors are now taking
interest in reviewing IS audit findings and showing commitment towards
information security. Board of directors are expecting to see the quantities or
qualitative analysis with trend analysis.
For an organization’s Information Security Manager, this is becoming challenge
to measure the effectiveness of information security. Measurement of process is
now common requirement of many international standards such as
ISO/IEC27001:2013. Board of Directors might not understand the technicality of
information security controls, this creates further difficulties for an
Information Security Manages in terms of:
- What to
present: board of directors might not understand all technical jargon.
these people are more interested in high level dash board which shows
overall analysis in few graphs or statistics.
- How to
present: it would be so foolish to open complete word document or PDF or
complete VAPT technical report in front of management. Simple power point
presentation would work for them.
- How much to
present: Finally you want board of directors to take key decisions.
According to approved measurement approach, you may only want to present
TOP 5 or TOP 10 key risks to prioritize risk treatment plan.
In this entire measurement
exercises, information security manager has to play a vital role in defining:
- Management’s
expectations in terms of “Health of Information Security Management
System”
- Information
security control metrics
- Identify
metrics owner
- Define
measurement frequency
- Create meaningful
dashboard for management
- Trend
analysis
Once implemented, over a period of 12 to 18 months, both information
security manager and board of directors would have reasonable understanding in
terms of information security control effectiveness and how these metrics are
adding value to their organization.
NOTE: if your organization is planning to implement information
security effectiveness measurement framework, reach out to me janakmajithiya@gmail.com
No comments:
Post a Comment