Question

The Chief Information Officer wants to ensure they are investing properly in information assurance. What are some metrics should the Chief Information Security Officer advise the organization monitor? How would these metrics help to identify the cost / benefits, or the return on investment?. What are some caveats that might exist to the metrics you suggest? ( the course is called cybersecurity management)

Answer 1

In reference to the context the Chief Information Officer (CIO) has to advise the organization monitor regarding the metrics of Information Assurance, so that their investment on the same is done properly.

Let us first understand about Information Assurance:

It can be stated as the process through which an organization can protect their information, as this process is closely related to risk management therefore the organization allocates resources in a profitable manner to protect the systems from intrusion and information breach. It must also be understood that after the resources are allocated, there has to be a thorough examination and auditing of the same, in order to have a clear picture as to how effective the information assurance framework is working for the organization.

The CIO will be focusing on the varied information available within the various departments of the organization and the protection required for such information. She/he will also focus on the effectiveness of the protection provided so that the organization will not have to face disclosure, modification or disruption in any of their information.

Talking about some of the most important metrics and how these will help identify the cost/benefits or the return on investment that the CIO has to advise will include challenges initially faced in terms of modification of the data and/or information. It is very important for an organization dealing with information based processes to keep their information and data untouched and away from any type of unnecessary modification except as it may seem necessary by the authorized staff provided the integrity of the data remains the same.

After that the information must be made available to those who need to access it for their work, in this way the available information is accessible to the one authorized only and not to everyone which will help the organization to maintain the stability of each and every process happening across the organization.

Protecting data or information through a portal requiring id and password will also be suggested as it will help authenticate the user before giving access to the information being sought. This will in turn help the company to have a log which can be refereed in case there is any breach, unwanted modification or wrong data input by any user. The log can immediately give details of the log in date and time in the portal by user and also give details of the amount of time spent inside the portal for information access.

The information assurance framework must be designed in a way that a particular information is visible to a particular user only, that means there in no compromise on the confidentiality of an information. This will the organization to grow and will also help designations within the company to understand and respect each other’s importance of work.

All the metrics mentioned have their own challenges and differ from company to company depending upon the nature of work. It’s important for the company to take technical measures (for e.g. data encryption, firewall etc.) and organization measure (by creating a separate team for information security) to deal with challenges arising from it. The organization must also invest in making staffs aware about the various processes and must also focus on providing proper training when it comes to accessing data for business development.