IT Security Metrics: A Practical Framework for Measuring Security Protecting Data

✍ Scribed by Lance Hayden

Publisher: McGraw Hill
Year: 2010
Tongue: English
Leaves: 398
Category: Library

No coin nor oath required. For personal study only.

✦ Synopsis

Implement an Effective Security Metrics Project or Program IT Security Metrics provides a comprehensive approach to measuring risks, threats, operational activities, and the effectiveness of data protection in your organization. The book explains how to choose and design effective measurement strategies and addresses the data requirements of those strategies. The Security Process Management Framework is introduced and analytical strategies for security metrics data are discussed. Youll learn how to take a security metrics program and adapt it to a variety of organizational contexts to achieve continuous security improvement over time. Real-world examples of security measurement projects are included in this definitive guide.Define security metrics as a manageable amount of usable data Design effective security metrics Understand quantitative and qualitative data, data sources, and collection and normalization methods Implement a programmable approach to security using the Security Process Management Framework Analyze security metrics data using quantitative and qualitative methods Design a security measurement project for operational analysis of security metrics Measure security operations, compliance, cost and value, and people, organizations, and culture Manage groups of security measurement projects using the Security Improvement Program Apply organizational learning methods to security metrics

✦ Table of Contents

Contents......Page 13
Foreword......Page 21
Acknowledgments......Page 23
Introduction......Page 25
Part I: Introducing Security Metrics......Page 31
1 What Is a Security Metric?......Page 33
Metrics and Measurement......Page 35
Security Metrics Today......Page 38
The Dissatisfying State of Security Metrics: Lessons from Other Industries......Page 49
Reassessing Our Ideas About Security Metrics......Page 52
Summary......Page 53
Further Reading......Page 54
2 Designing Effective Security Metrics......Page 55
Choosing Good Metrics......Page 56
GQM for Better Security Metrics......Page 66
More Security Uses for GQM......Page 77
Summary......Page 82
Further Reading......Page 83
3 Understanding Data......Page 85
What Are Data?......Page 86
Data Sources for Security Metrics......Page 98
We Have Metrics and Data—Now What?......Page 101
Further Reading......Page 102
Case Study 1: In Search of Enterprise Metrics......Page 103
Scenario One: Our New Vulnerability Management Program......Page 107
Scenario Two: Who’s on First?......Page 108
Scenario Three: The Value of a Slide......Page 109
Scenario Four: The Monitoring Program......Page 112
Scenario Five: What Cost, the Truth?......Page 114
Summary......Page 116
Part II: Implementing Security Metrics......Page 117
4 The Security Process Management Framework......Page 119
Managing Security as a Business Process......Page 120
The SPM Framework......Page 127
Before You Begin SPM......Page 133
Summary......Page 139
Further Reading......Page 140
5 Analyzing Security Metrics Data......Page 141
The Most Important Step......Page 142
Analysis Tools and Techniques......Page 151
Summary......Page 177
Further Reading......Page 179
6 Designing the Security Measurement Project......Page 181
Before the Project Begins......Page 182
Phase One: Build a Project Plan and Assemble the Team......Page 190
Phase Two: Gather the Metrics Data......Page 193
Phase Three: Analyze the Metrics Data and Build Conclusions......Page 194
Phase Four: Present the Results......Page 196
Phase Five: Reuse the Results......Page 198
Project Management Tools......Page 199
Further Reading......Page 200
Case Study 2: Normalizing Tool Data in a Security Posture Assessment......Page 201
Background: Overview of the SPA Service......Page 202
Objectives of the Case Study......Page 206
Summary......Page 221
Part III: Exploring Security Measurement Projects......Page 223
7 Measuring Security Operations......Page 225
Sample Metrics for Security Operations......Page 226
Sample Measurement Projects for Security Operations......Page 228
Further Reading......Page 251
8 Measuring Compliance and Conformance......Page 253
The Challenges of Measuring Compliance......Page 254
Sample Measurement Projects for Compliance and Conformance......Page 258
Further Reading......Page 275
9 Measuring Security Cost and Value......Page 277
Sample Measurement Projects for Compliance and Conformance......Page 278
Summary......Page 298
Further Reading......Page 299
10 Measuring People, Organizations, and Culture......Page 301
Sample Measurement Projects for People, Organizations, and Culture......Page 303
Summary......Page 317
Further Reading......Page 318
Case Study 3: Web Application Vulnerabilities......Page 319
Outcomes, Timelines, Resources......Page 321
Initial Reporting with “Dirty Data”......Page 322
Working with Stakeholders to Perform Data Cleansing......Page 326
Follow-up with Reports and Discussions with Stakeholders......Page 327
Lesson Learned: Fix the Process, and Then Automate......Page 328
Lesson Learned: Don’t Wait for Perfect Data Before Reporting......Page 331
Summary......Page 332
Part IV: Beyond Security Metrics......Page 335
11 The Security Improvement Program......Page 337
Moving from Projects to Programs......Page 338
Managing Security Measurement with a Security Improvement Program......Page 339
Requirements for a SIP......Page 344
Measuring the SIP......Page 351
Case Study: A SIP for Insider Threat Measurement......Page 353
Summary......Page 357
Further Reading......Page 358
12 Learning Security: Different Contexts for Security Process Management......Page 359
Organizational Learning......Page 360
Three Learning Styles for IT Security Metrics......Page 361
Final Thoughts......Page 366
Further Reading......Page 367
Case Study 4: Getting Management Buy-in for the Security Metrics Program......Page 369
The CISO Hacked My Computer......Page 371
What Is Buy-in?......Page 372
Higher Education Case Study......Page 373
Conclusion......Page 385
A......Page 387
C......Page 388
D......Page 389
F......Page 390
G......Page 391
L......Page 392
N......Page 393
Q......Page 394
S......Page 395
V......Page 397
W......Page 398

📜 SIMILAR VOLUMES

IT Security Metrics: A Practical Framewo

📁 IT Security Metrics: A Practical Framework for Measuring Security & Protecting Data

✍ Lance Hayden 📂 Library 📅 2010 🏛 McGraw-Hill Osborne Media 🌐 English

<h4>Implement an Effective Security Metrics Project or Program</h4> <p> IT Security Metrics provides a comprehensive approach to measuring risks, threats, operational activities, and the effectiveness of data protection in your organization. The book explains how to choose and design effecti

IT security metrics : a practical framew

📁 IT security metrics : a practical framework for measuring security & protecting data

✍ Lance Hayden 📂 Library 📅 2010 🏛 McGraw Hill 🌐 English

Building a Security Measures and Metrics

📁 Building a Security Measures and Metrics Program. Proven Practices

✍ George Campbell (Auth.) 📂 Library 📅 2013

Quality Of Protection: Security Measurem

📁 Quality Of Protection: Security Measurements and Metrics (Advances in Information Security)

✍ Dieter Gollmann, Fabio Massacci, Artsiom Yautsiukhin 📂 Library 📅 2006 🌐 English

Quality of Protection: Security Measurements and Metrics is an edited volume based on the Quality of Protection Workshop in Milano, Italy (September 2005). This volume discusses how security research can progress towards quality of protection in security comparable to quality of service in networkin

Measuring and Communicating Security's V

📁 Measuring and Communicating Security's Value: A Compendium of Metrics for Enterprise Protection

✍ George Campbell 📂 Library 📅 2015 🏛 Elsevier 🌐 English

<p>In corporate security today, while the topic of information technology (IT) security metrics has been extensively covered, there are too few knowledgeable contributions to the significantly larger field of global enterprise protection. <i>Measuring and Communicating Security’s Value</i> addresses

Measures and Metrics in Corporate Securi

📁 Measures and Metrics in Corporate Security

✍ George Campbell (Auth.) 📂 Library 📅 2014 🏛 Elsevier 🌐 English

<p>The revised second edition of <i>Measures and Metrics in Corporate Security</i> is an indispensable guide to creating and managing a security metrics program. Authored by George Campbell, emeritus faculty of the Security Executive Council and former chief security officer of Fidelity Investments,