Company IA Consulting Sify Assure Difference Partners Case Studies Career
Search
Contact Us
Sitemap
Home Home
  Enterprise Security & Risk   Management Services
Overview
Enterprise Security Consulting services
  - Enterprise Vulnerability Assessment
  - Ethical Hacking Services
  - Web Application Security Testing
  - Secure Architecture Design
  - Enterprise Security Assessment
  - Information Security Metrics
  - Security Policy, Standards and Procedures Design
Information Assurance Services
Compliance Consulting Services
Business Continuity Management System
 
 
 
You are here  :  Home  |   Enterprise Security & Risk Management Services   |  Enterprise Security Consulting services
Untitled Document
     
 

 

Information Security Metrics

Introduction

Metrics are tools designed to facilitate decision-making and improve performance and accountability through collection, analysis, and reporting of performance-related data. Information security metrics should be based on security performance goals and objectives of an organization. Each organization should implement a metrics program specific to its needs, business processes and security goals.

IT security performance objectives enable accomplishment of goals by identifying practices defined by security policies and procedures that direct consistent implementation of security controls across the organization. IT security metrics monitor the accomplishment of the goals and objectives by quantifying the level of implementation of the security controls and the effectiveness and efficiency of the controls, by analyzing the adequacy of security activities and identifying possible improvement actions.

Benefits

Metrics facilitate “informed decision making’ by the top management of an organization. Metrics can help improve performance by identifying causes of poor performance, which include:

  • Requirement of resources, training
  • Requirement of system upgrades
  • Adequacy of configuration Management Practices
  • Software Compatibility – Security patches and upgrades
  • Adequacy of Policies and Procedures
  • Poor system and security architectures
  • Inefficient Planning Processes

Metrics Development: What is a Good Metric?

A good information security metric should/be:

  • Aligned with security performance goals and objectives of the organization
  • Quantifiable/ Measurable: Should yield quantitative rather than qualitative information to increase the objectivity and validity of data
  • Available or easily collected: Metrics data should be available or easily collected through interviewing or by accessing data repositories
  • Repeatable: In a standard way at specific intervals, to identify trends
  • Provide relevant performance trends over time: Repeated measurements should reveal trends against time
  • Facilitate decision making: Metrics should be useful to stakeholders and should yield information that facilitates “informed decision making” by the top management

 

Metric Development Process

Sify’s security consultants define three types of information security metrics:

  • Implementation metrics
    • To measure the implementation of security policy
  • Effectiveness/ Efficiency metrics
    • To measure results of security services delivery; and
  • Impact metrics
    • To measure business/ mission impact of security activities and events.

The purpose of each metric is determined. Sify consultants assist in stakeholder identification, determining metric goals and objectives, identifying source of data and data collection methods, frequency and responsibilities, facilitating metric analysis and reporting.  Sify assists in determining the formulae for numeric expression of the metrics. The consultants also help in formalizing an effective continual improvement process for the information security metrics.

Why Sify?

Sify has experience in developing information security metrics for organizations of all sizes, across multiple business verticals. Sify uses NIST Security Metric Guide and ISO 27001 International Standard for Information Security as the reference/ benchmark for developing comprehensive information security metrics for organizations.

During metrics prioritization, Sify’s security consultants focus on selecting the most critical and relevant elements of an organization’s information security practices, to make the metrics meaningful, relevant and successful.

 

 

  
     
 
 
Home     About Us    IA & Consulting    Sify Assure Difference    Partners    Case Studies    Career    Contact Us    Downloads    Sitemap
  Best viewed at 800 by 600. Copyright © SIFY Limited. All rights reserved.
Privacy Statement Disclaimer