Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
34Activity
0 of .
Results for:
No results containing your search query
P. 1
ISO27k Security Metrics Examples

ISO27k Security Metrics Examples

Ratings:

4.67

(3)
|Views: 2,086|Likes:
Published by vishnukesarwani

More info:

Published by: vishnukesarwani on Oct 31, 2008
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as RTF, PDF, TXT or read online from Scribd
See more
See less

03/26/2013

pdf

text

original

 
Title/name of metric
Coordinated Business Continuity Plans
Primary customer 
Security management & executives
Information source/s
All business units or contingency planning function
How calculated
Count number of BCPs that have been signed todenote review and acceptance by the heads of allrelevant business functions invoked in the plans
Frequency
Collect & report quarterly in year 1, then half-yearly in year 2, then annually (as continuityprocesses mature)
Rationale for measuring this
Business continuity plans for any departmenttypically call upon other departments (
e.g
. IT) butcoordination of plans between departments is notautomatically guaranteed. This metric checks thatplans have been coordinated with and accepted byall the business functions they invoke.
Relevant section/sof ISO/IEC 27002Main
Subsidiary 4 Risk mgmt 
5 Security policy6 Information securitygovernance7 Asset mgmt
8 HR 
9 Physical security10 Comms/Ops mgmt11 Access control12 SDLC13 Incident mgmt
14 Continuity mgmt
15 Compliance
Nature of metric
Leading /
Lagging
/ SemiSoft /
Hard
/ SemiObjective / Subjective /
Semi*
Absolute /
Relative (trend)
/ SemiConfidentiality /
Integrity
/ Availability
Alternative metricsconsidered
Number of BCPs successfully tested/exercised
Notes
* The metric itself is objective but the degree towhich signatories review and approve the plansmay vary
 
Title/name of metric
Personal device security
Primary customer 
Security manager / committee
Information source/s
IT Help/Service Desk incident log + automatedsystem logs (
e.g
. antivirus and antispyware logs)
How calculated
# of security incidents / # personal devices x 100%
Frequency
Collect daily Report monthly or quarterly
Rationale for measuring this
Monitor security risks to personal devices (PDAs,laptops, mobile phones
etc
.) that often fall outsidethe purview of the Information SecurityManagement System, yet carry sensitive &valuable data. Identify education/awarenesstargets and security issues. Ensure policycompliance.
Relevant section/sof ISO/IEC 27002Main
Subsidiary 
4 Risk mgmt
5 Security policy 
6 Infosec governance
7 Asset mgmt 
8 HR9 Physical security10 Comms/Ops mgmt11 Access control12 SDLC
13 Incident mgmt 
14 Continuity mgmt
15 ComplianceNature of metric
Leading /
Lagging
/ SemiSoft /
Hard
/ Semi
Objective
/ Subjective / SemiAbsolute /
Relative (trend)
/ Semi
Confidentiality
/
Integrity 
/ Availability
Alternative metricsconsidered
Automated compliance checks using automatedcontrols
e.g
. antivirus, security configurationcheckers
Notes
 
Title/name of metric
Payroll data quality
Primary customer 
Senior management team
Information source/s
Payroll database logs and system change records
How calculated
(#exceptions and corrections processed during theperiod LESS #legitimate data changes) / #recordsin the database x 100%
Frequency
Weekly collection Quarterly reporting
Rationale for measuring this
Measures data integrity failures (completeness,accuracy, timeliness) in an important databasewhere the consequences of data errors may besignificant
Relevant section/sof ISO/IEC 27002Main
Subsidiary 
4 Risk mgmt5 Security policy6 Infosec governance7 Asset mgmt8 HR9 Physical security10 Comms/Ops mgmt11 Access control
12 SDLC
13 Incident mgmt14 Continuity mgmt15 Compliance
Nature of metric
Leading /
Lagging
/ SemiSoft /
Hard
/ Semi
Objective
/ Subjective / SemiAbsolute /
Relative (trend)
/ SemiConfidentiality /
Integrity
/ Availability
Alternative metricsconsidered
Delayed updates to personnel records
Notes
Some payroll data changes are more significantthan others but this metric simply counts thenumber of data corrections to assess the accuracylevel. Better automated or manual data entrycontrols should reduce the number of errorshaving to be corrected.The same metric can be applied to any database,ERP or similar system, and compared betweensystems.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->