InformationWeek Financial Services Special Reports

Security Metrics

Issue link:

Contents of this Issue


Page 28 of 28

[Security Metrics] and Risk Scoring Reference Architecture Report (CAESARS)" and extended by NIST in NIST Interagency Report (NISTIR) 7756. The actual content and details of this model are a bit too complex to cover here, but one key takeaway is the importance of moving away from a point-in-time risk evaluation and measurement model to a more continuous one. Reporting Framework As you decide what you want to monitor and how frequently you want to monitor it, you'll next need to put together a reporting framework within which you can highlight these values both to your team and to management. First of all, you need to decide what mechanism you'll use for reporting. Commercial governance, risk, and compliance tools (particularly risk-based tools such as Modulo, RSAM, and WCK) can assist in this regard because they generally include capabilities for consuming information from automated data collection measures and rendering them into a useful visual output. However, when you start out — particularly if you're starting with a fairly lean methodology — these types of tools might be overkill. If this is the case, consider just keeping a data record (for example, in Excel) of your findings. You don't need to have a fancy dashboard, just a place to store your records so you can preserve them for future analysis and use them as a baseline for comparison. Don't overthink this. You'll find that when you report risk up the chain, management is generally less interested in getting into the nitty-gritty than in ensuring that progress is being made. Even just a roll-up value has utility for keeping track of progress in aggregate, but as you continue to increase the granularity of assets segmented and categorized, you'll start to see problem areas emerge — places where you'll need to take special action to reduce overall risk. Ed Moyle is the director of emerging business and technology at ISACA, as well as a founding partner of SecurityCurve.p 29

Articles in this issue

view archives of InformationWeek Financial Services Special Reports - Security Metrics