Guide To Security Metrics
Páginas: 14 (3377 palabras)
Publicado: 3 de septiembre de 2011
A Guide to Security Metrics
Shirley C. Payne July 11, 2001 SANS Security Essentials GSEC Practical Assignment Version 1.2e
The Value of Security Metrics Key fingerprint = AF19 FA27 2F94 998Dis that an activity cannot beA169 4E46 it A widely accepted management principle FDB5 DE3D F8B5 06E4 managed if cannot be measured. Security falls under this rubric. Metrics can be an effective tool forsecurity managers to discern the effectiveness of various components of their security programs, the security of a specific system, product or process, and the ability of staff or
© SANS Institute 2002,
©
Good metrics are those that are SMART, i.e. specific, measurable, attainable, repeatable, and time-dependent, according to George Jelen of the International Systems Security EngineeringAssociation. 5 Truly useful metrics indicate the degree to which security goals, such as data confidentiality, are being met, and they drive actions taken to improve an organization’s overall security program.
SA
NS
In
It helps to understand what metrics are by drawing a distinction between metrics and measurements. Measurements provide single-point-in-time views of specific, discretefactors, while metrics are derived by comparing to a predetermined baseline two or more measurements taken over time.3 Measurements are generated by counting; metrics are generated from analysis.4 In other words, measurements are objective raw data and metrics are either objective or subjective human interpretations of those data.
As part of the Information Security Reading Room.
sti
tute
20
02
Definition of Security Metrics
,A
ut
What means will managers use to meet this challenge? Some experts believe that key among these should be security metrics.2 This guide provides a definition of security metrics, explains their value, discusses the difficulties in generating them, and suggests a methodology for building a security metrics program.
ho
rr
etaRecent predictions are that spending on security measures will rise significantly over the next four years.1 If increased security funding does indeed become a trend, this will obviously be welcomed by security managers, and it gives reason to hope that greater progress in addressing the threat of security breaches will follow. As with most concerns Key achieve high priority status with998D FDB5however, computer A169 4E46 become that fingerprint = AF19 FA27 2F94 executives, DE3D F8B5 06E4 security will a focal point not only for investment, but also scrutiny for return on that investment. Security managers will more than ever before be held accountable for demonstrating effectiveness of their security programs and the value of those programs to the organization.
ins
fu ll r igh ts.Author retains full rights.
departments within an organization to address security issues for which they are responsible. Metrics can also help identify the level of risk in not taking a given action, and in that way provide guidance in prioritizing corrective actions. Additionally, they may be used to raise the level of security awareness within the organization. Finally, with knowledgegained through metrics, security managers can better answer hard questions from their executives and others, such as: • • • Are we more secure today than we were before? How do we compare to others in this regard? Are we secure enough?
Key fingerprint = AF19 FA27 Difficult FDB5 DE3D F8B5 06E4 A169 4E46 Why Metrics Generation Is 2F94 998D Many in the security industry will agree that the numberof successful security attacks an organization has experienced is not necessarily an indication of how secure that organization is. Luck plays a major role, 6 and how does one measure luck? So, a security manager needs to look beyond the organization’s security incident record for indicators of security strength. There are further complications they need to keep in mind, however, in their search...
Shirley C. Payne July 11, 2001 SANS Security Essentials GSEC Practical Assignment Version 1.2e
The Value of Security Metrics Key fingerprint = AF19 FA27 2F94 998Dis that an activity cannot beA169 4E46 it A widely accepted management principle FDB5 DE3D F8B5 06E4 managed if cannot be measured. Security falls under this rubric. Metrics can be an effective tool forsecurity managers to discern the effectiveness of various components of their security programs, the security of a specific system, product or process, and the ability of staff or
© SANS Institute 2002,
©
Good metrics are those that are SMART, i.e. specific, measurable, attainable, repeatable, and time-dependent, according to George Jelen of the International Systems Security EngineeringAssociation. 5 Truly useful metrics indicate the degree to which security goals, such as data confidentiality, are being met, and they drive actions taken to improve an organization’s overall security program.
SA
NS
In
It helps to understand what metrics are by drawing a distinction between metrics and measurements. Measurements provide single-point-in-time views of specific, discretefactors, while metrics are derived by comparing to a predetermined baseline two or more measurements taken over time.3 Measurements are generated by counting; metrics are generated from analysis.4 In other words, measurements are objective raw data and metrics are either objective or subjective human interpretations of those data.
As part of the Information Security Reading Room.
sti
tute
20
02
Definition of Security Metrics
,A
ut
What means will managers use to meet this challenge? Some experts believe that key among these should be security metrics.2 This guide provides a definition of security metrics, explains their value, discusses the difficulties in generating them, and suggests a methodology for building a security metrics program.
ho
rr
etaRecent predictions are that spending on security measures will rise significantly over the next four years.1 If increased security funding does indeed become a trend, this will obviously be welcomed by security managers, and it gives reason to hope that greater progress in addressing the threat of security breaches will follow. As with most concerns Key achieve high priority status with998D FDB5however, computer A169 4E46 become that fingerprint = AF19 FA27 2F94 executives, DE3D F8B5 06E4 security will a focal point not only for investment, but also scrutiny for return on that investment. Security managers will more than ever before be held accountable for demonstrating effectiveness of their security programs and the value of those programs to the organization.
ins
fu ll r igh ts.Author retains full rights.
departments within an organization to address security issues for which they are responsible. Metrics can also help identify the level of risk in not taking a given action, and in that way provide guidance in prioritizing corrective actions. Additionally, they may be used to raise the level of security awareness within the organization. Finally, with knowledgegained through metrics, security managers can better answer hard questions from their executives and others, such as: • • • Are we more secure today than we were before? How do we compare to others in this regard? Are we secure enough?
Key fingerprint = AF19 FA27 Difficult FDB5 DE3D F8B5 06E4 A169 4E46 Why Metrics Generation Is 2F94 998D Many in the security industry will agree that the numberof successful security attacks an organization has experienced is not necessarily an indication of how secure that organization is. Luck plays a major role, 6 and how does one measure luck? So, a security manager needs to look beyond the organization’s security incident record for indicators of security strength. There are further complications they need to keep in mind, however, in their search...
Leer documento completo
Regístrate para leer el documento completo.