Re: ITL Bulletin for August 2003

[InfoSec News <isn () c4i org>]

Forwarded from: Mark Bernard <mbernard () nbnet nb ca>

Dear Associates,

Is this annoying or what! They are close to actual providing something
valuable here but they haven't hit the target and here is why:

Firstly, In order to maximize the effectiveness of this white paper on
InfoSec Metrics you need to identify the target audience. If you
handed this to a Senior Manager they might have a chance, but if you
handed it to a CISSP they would be lost!

Secondly, They talk about matrices ( a lot) but don't really back it
up with any solid, proven examples. Thus, this is really a wordy
explanation at a level where nobody can touch anything valuable.

Thirdly, Maybe I misunderstood this point, but if you gave a so called
'stakeholder' 5 - 10 matrices they would be lost or have way too much
information to evaluate especially if you were in HR or Finance. Who
are we trying to impress here?

Fourthly, how can intelligence or professional skills continue to
evolve if we continue to reinvent the wheel?  Self assessments and
controls/safeguards including a methodology to administer these
practices has already been developed by an association that has been
doing this for 30 plus years, what's up with these guys...

There is absolutely nothing here that hasn't already been done in
COBiT; http://www.isaca.org/cobithorizon.htm In addition, COBiT
continues to advance these best practices with other practices such as
maturity models, etc...

Lets do it right and move on with this process instead of spinning our
intellectual wheels!

Regards,
Mark E. S. Bernard, CISM.


----- Original Message ----- 
From: "InfoSec News" <isn () c4i org>
To: <isn () attrition org>
Sent: Thursday, August 14, 2003 6:10 AM
Subject: [ISN] ITL Bulletin for August 2003


> Forwarded from: Elizabeth Lennon <elizabeth.lennon () nist gov>
>
> IT SECURITY METRICS
> Elizabeth B. Lennon, Editor
> Information Technology Laboratory
> National Institute of Standards and Technology
>
> Introduction
> IT security metrics provide a practical approach to measuring
> information security. Evaluating security at the system level, IT
> security metrics are tools that facilitate decision making and
> accountability through collection, analysis, and reporting of
> relevant performance data. Based on IT security performance goals
> and objectives, IT security metrics are quantifiable, feasible to
> measure, and repeatable. They provide relevant trends over time and
> are useful in tracking performance and directing resources to
> initiate performance improvement actions.
>
> This ITL Bulletin summarizes the recently published NIST Special
> Publication (SP) 800-55, Security Metrics Guide for Information
> Technology Systems, by Marianne Swanson, Nadya Bartol, John Sabato,
> Joan Hash, and Laurie Graffo. NIST SP 800-55 provides guidance for
> IT managers and security professionals at all levels, inside and
> outside of government. The document describes the development and
> implementation of an IT security metrics program and provides
> examples of metrics based on the critical elements and security
> controls and techniques contained in NIST SP 800-26, Security
> Self-Assessment Guide for Information Technology Systems. Both
> documents are available at
> http://csrc.nist.gov/publications/nistpubs/index.html.
>
> Why Measure IT Security? Regulatory, financial, and organizational
> reasons drive the requirement to measure IT security performance.
> For federal agencies, a number of existing laws, rules, and
> regulations cite IT performance measurement in general, and IT
> security performance measurement in particular, as a requirement.  
> These laws include the Clinger-Cohen Act, Government Performance and
> Results Act (GPRA), Government Paperwork Elimination Act (GPEA), and
> Federal Information Security Management Act (FISMA). In the
> financial arena, organizations that measure successes and failures
> of past and current security investments can use metrics to justify
> and direct future security investments. From an organizational point
> of view, metrics improve accountability to stakeholders, ensure an
> appropriate level of mission support, determine IT security program
> effectiveness, and improve customer confidence.
>
> The Metrics Development Process
> The IT security metrics development process consists of two major
> activities:
>
> * Identification and definition of the current IT security
>   program; and
>
> * Development and selection of specific metrics to measure
>   implementation, efficiency, effectiveness, and the impact
>   of the security controls.
>
> The process steps need not be sequential. Rather, the process
> provides a framework for thinking about metrics and facilitates the
> identification of metrics to be developed for each system. The type
> of metric depends on where the system is within its life cycle and
> the maturity of the IT system security program. The framework
> facilitates tailoring metrics to a specific organization and to the
> different stakeholder groups in each organization.

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.