Page 174 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 174

Information  Security and Privacy




                    Notes          12.2.4 The Value of Security Metrics
                                   Metrics can  be an effectual tool  for security  executives to discern the efficiency of various
                                   components of their protection programs, the security of a particular system, product or process,
                                   and the aptitude of staff or departments inside an organization to address security concerns for
                                   which they are accountable. Metrics can also help recognize the level of risk in not taking a
                                   given action, and in that way supply guidance in prioritizing counteractive actions. Additionally,
                                   they may be used to raise the level of security alertness inside the organization. In conclusion
                                   with knowledge gained via metrics, security managers can better answer tough questions from
                                   their executives and others, like:
                                   1.  Are we more secure these days than we were before?
                                   2.  How do we contrast to others in this regard?
                                   3.  Are we protected enough?

                                   Self Assessment

                                   Fill in the blanks:
                                   3.  ........................ signifies assurance that the security-enforcing techniques have been rightly
                                       executed.
                                   4.  A covering security metric with a short latency phase or lag time is favored over one with
                                       a ........................ latency phase.

                                   12.3 Security Matrix

                                   Security matrix is used to concentrate measures where they are required, and to be aware of
                                   what measures are being (purposely) abandoned. Security matrix includes the following:
                                   1.  Drawing a threat/risk landscape. What regions are mainly at risk?
                                   2.  Define upcoming measures, baselines, or project particular security
                                   3.  Relating security topics.

                                   4.  Dept & diversity of defence
                                   5.  List/audit existing measures
                                   6.  Follow variations in focus over time

                                   7.  Divide “Computer Equipment” as per your needs, e.g. : OS, DBs, Middleware, Applications
                                   12.4 Security Metrics Classification


                                   The security metrics is divided into the three types:
                                   1.  Organizational
                                   2.  Operational
                                   3.  Technical

                                   Then add two additional categories to capture security controls selected in ISO/IEC 17799 and
                                   ANSI/ISA-TR99.00.01-2004. The taxonomists advise that the following calculable aspects of an
                                   information security movement or system can be mapped to procedures in one or more of the
                                   five high-level categories, as illustrated in Figure 12.2.





          168                               LOVELY PROFESSIONAL UNIVERSITY
   169   170   171   172   173   174   175   176   177   178   179