Module 4

 
Information and Data Security
Dr. B. Chandra Mohan
Information and Data Security Team
Structure
• growing importance and scope of information
• Information security governance begins at the top with the Board of
Directors and CEO
Team Structure
1. Board of Directors and / Security Steering Committee
2. CEO or Executive Management
3. CIO/CISO
4. Security Director
5. Security Analyst
6. Security Architect
7. Security Engineer
8. Systems Administrator
9. Database Administrator
10. IS Auditor
11. End User
Security incident response team
• Processes IT security complaints or incidents.
• Assesses threats to IT resources.
• Alerts IT managers of imminent threats.
• Determines incident severity and escalates it, if necessary, with
notification to CTO and president’s senior staff.
• Coordinates security incidents (level 2 or 3) from discovery to closure.
• Reviews incidents, provides solutions/resolutions and closure.
Security Metrics
• Measurements provide single-point-in-time views of specific, discrete
factors,
• while metrics are derived by comparing to a predetermined baseline
of two or more measurements taken over time.
• Good metrics are those that are SMART, i.e. specific, measurable,
attainable, repeatable, and time-dependent.
The categories of security metrics
• Implementation – metrics used to show progress in implementing
policies and procedures and individual security controls
• Effectiveness/efficiency – metrics used to monitor results of security
control implementation for a single control or across multiple controls
• Impact – metrics used to convey the impact of the information
security program on the institution's mission, often through
quantifying cost avoidance or risk reduction produced by the overall
security program
• 
Types of Security Metrics
• BASED ON LEVEL
• Strategic security metrics
• Security management metrics
• Operational security metrics
• Based on Object
• Process Security Metrics
• Network Security Metrics
• Software Security Metrics
• People Security Metrics
Application Security

• Number of Applications
• Percentage of Critical Applications
• Risk Assessment Coverage
•  Security Testing Coverage
• 
Configuration Change Management
• Mean-Time to Complete Changes
•  Percent of Changes with Security Review
•  Percent of Changes with Security Exceptions
Financial
• Information Security Budget as % of IT Budget
• Information Security Budget Allocation
Incident Management

•  Mean-Time to Incident Discovery

• Incident Rate
•  Percentage of Incidents Detected by Internal Controls
• Mean-Time Between Security Incidents
•  Mean-Time to Recovery
Patch Management
• Patch Management
• Patch Policy Compliance
• Patch Management Coverage
• Mean-Time to Patch
• Vulnerability Management
• Vulnerability Scan Coverage
• Percent of Systems Without Known Severe Vulnerabilities
• Mean-Time to Mitigate Vulnerabilities Number of Known Vulnerability
Instances
Using Security Metrics
• Using security metrics involves data acquisition.
• This may be automated or manually collected.
• Data collection automation depends on the availability of data from
automated sources versus the availability of data from people.
• Manual data collection involves developing questionnaires and
conducting interviews and surveys with the organization’s staff.
Developing the Metrics Process
At a high level, the steps for establishing a metrics program are:
• Define goals and objectives
• Determine information goal
• Develop metrics models
• Determine metrics reporting format and
• Schedule
• Implement metrics
• Set benchmarks and targets
• Establish a formal review cycle
Metrics and Reporting

• There are a number of challenges often encountered in the

organizations that are about to implement or are already in the
process of implementing an ISMP.
• A number of challenges that commonly arise from the stakeholders'
misconceptions and erroneous expectations regarding metrics (IATAC,
2009); these include:
Designing information security
measurement systems
• What are we going to measure?
• How will we measure things?
• How will we report?
• How should we implement our reporting system?
• Setting targets