ERE Information Security Auditors
Home | Site Map | Contact Us | Blog
This text is replaced by the Flash movie.
 Executive Strategies for Managing Risk
Audit Tactics for Managing Risk
« Quantifying Risk and Cost of IT Security Compliance: Part 3
What about Smartphone Security Threats? »

Quantifying Risk and Cost of IT Security Compliance: Part 4

This week’s blog is Part 4 of 5 parts of a series.

If you are in security no doubt you have been challenged by management about your security expenditures.  I have often heard executives say that they regret authorizing sufficiently large security budgets because they can’t tell if the expenses were worthwhile.  It’s a good point.  I’ll try to address it in this blog.

Measuring the Effectiveness of Mitigation

It is paramount to close the risk management loop by comparing planned and actual results of mitigation.

Goal is to clearly identify if risk level has changed and what consistent metrics will be used to base a conclusion. Once again, this may be difficult to accomplish directly, but there certainly are metrics for measuring and comparing the results of implementing mitigation. The metrics should always:

  1. Produce repeatable, consistent results.
  2. Be understandable.
  3. Be reasonably simple to use over time.

The following is a good starting list of metrics that can be used for consistently measuring and reporting on risk:

  1. Architectures for measuring risk – Enterprise Information Security Architecture (EISA) (8), (9)
    1. a. The U.S. Department of Defense (DoD) Architecture Framework (DoDAF). (10)
    2. Extended Enterprise Architecture Framework (E2AF) from the Institute For Enterprise Architecture Developments. (11)
    3. Federal Enterprise Architecture of the United States Government (FEA).  (12)
    4. Capgemini’s Integrated Architecture Framework. (13)
    5. NIH Enterprise Architecture Framework. (14)
    6. Open Security Architecture. (15)
    7. The Open Group Architecture Framework (TOGAF). (16)
    8. Zachman Framework(17)
    9. Control points from the COBIT framework.  (18)
    10. Vulnerability assessments.
    11. Penetration tests.
    12. Time trends in frequency of occurrence and the real costs of security events, privacy violations, and policy compliance violations.
    13. Time trends in cost to recover from events.
    14. Time trends in frequency of policy compliance violations that do not necessarily cause any financial losses, such as identifying Trojans, viruses, rootkits, unauthorized logins, attempted port scans, frequency of dropped packets, frequency of password lifecycle, breaches, and frequency of rescheduled / cancelled IT Security Governance meetings with business managers.

This part of the series may be a little dry.  In fact it is very dry.  But if you ever want to have a process done “by the book” many of my references will come in handy.  If you can take another “dry” blog, the next blog will cover the same subject but from a return on investment perspective.  I hope it will be helpful!

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security and Privacy Compliance Auditor

www.ere-security.ca

Tags: , , ,

This entry was posted on Wednesday, February 24th, 2010 at 4:10 pm and is filed under Information Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply
Home | Point in Time Audit | Doc Audit/Authorship | 7x24 Monitoring | Knowledge Transfer | ERE Differentiators | About Us | Site map | Contact Us | Blog
Copyrights © 2007-2008. All rights reserved.  Non-security resources 1|2|3|4|5|6|7|8|9

   AddThis Social Bookmark Button