Sunday, August 26, 2007

Security metrics ?

“Hi ..., We have several customers working on implementing the security metrics. Success is relative. Yes, they all see a dashboard of figures but I am not sure if the results are mature enough. The metrics are relative and not global so that not comparable as it is in manufacturing sector (hopefully ISO 27004 will close the gap -still in draft, or you can get (BSI) BIP0074, these are the best guidelines). But if you need a quick fix, for the beginning you can use the SEM dashboards integrated with manual data from other systems (such as AV, Door Access etc). That is a very quick/practical kickstart.. Integrating a basic report to your ISMS will require constant updates. Another option is to use a 3rd party monitoring service like a MSSP. This way you can get your metrics predefined and compared with global trends. This is an easy start as well. I cannot share the specifics of how our customers feel on metrics, but you use the public domain information about the security metrics. I am reading the book from Andrew Jaquith - Security Metrics - 2007 from Addison Wesley.. I think it is a good start. I do recommend it. There is also an 800pager from Auerbach "Complete Guide to Security and Privacy Metrics" but I did not read it.. Let me know if you have a specific question, Regards, - yinal ozkan”

No comments: