Question

You are part of a team responsible for designing an assessment to determine whether or not your company’s information security controls are in compliance and to identify any necessary improvements or adjustments.

Select two of the aspects listed below and discuss the importance of each in establishing a successful security metrics program. Give specific examples. What problems/issues might your company face if those aspects are not handled appropriately?

• Identifying stakeholders
• Defining metrics program goals and objectives
• Deciding which metrics to report
• Establishing targets and thresholds
• Developing strategies for collecting metrics data
• Determining how metrics will be reported
• Creating a remediation action plan
• Conducting a formal program review cycle

Answer 1

1. Developing strategies for collecting metrics data:- This field should specify the data source ,frequency of collection of data and allocate the responsibility of data compilation.Automated collection of data is generally more accurate than manual collection so organisation should employ automated way of data collection ,analyse it and report it into matrices.Automated collection is easy to configure and require less resources to be used in case of manual collection.

example:-If there is threat of viruses in a computer system then it will be the first question that what is the source of viruses,is it coming from external removable media storage or is it through internet browsing or emails.if we have found that the virus and threats are due to emails then we have to develop a strategy so to collect data based upon the emails like the numberof spyware or virus detected in emails or the percentage of suspected emails detected, then we have to ensure the frquency of data collection according to the percentage of suspected emil detected and then form the security matrics according to that.

2. Conducting a formal program review cycle:-The continue feedback of the security matrics is very necesaary to evaluate the matrics and its value and if it is not progressing or improving then it has to be discarded.New matrics should be added to improve and refine the progress of security program.A fresh scan of security matrics standard and its accuracy should be done to ensure the fine tuning of program.

example:-If the email threats and virus data is collected and matrics is formed and suppose a new type of malware attack through internet and email will be there ,so to prevent that new matrics should be added or the older matrics should be updated and improved to identify that new malware or spyware.

• The aspects which are shown above should be handled properly to ensure the prevention from the threats like data loss ,database injections,security breach etc. The areas like malware management,emails management,vulnurability management and patch management are very important to work upon and uptight the security control over these areas through these security aspects.