Although measuring information security performance is required by law in USA such as the Clinger-Cohen Act, the Government Performance and Results Act (GPRA), the Government Paperwork Elimination Act (GPEA), and the Federal Information Security Management Act (FISMA). Also, I do believe that the driven factor for any thing is the business need or monetary value.What do we need to measure for Information Security?
NIST specified three measure types which are:
- Execution of security policy.
- Effectiveness/efficiency of security services delivery.
- Impact of security events.
Performance Measurement for Information Security Challenges:
- Inconsistent process, when you try this kind of process you will find it challenge to specify your performance targets to measure.
- Identifying the goals and objectives of performance management. The best start will be from business/stakeholder interest.
- Establishing Performance Targets. Setting performance targets for effectiveness/efficiency and impact measures is more complex because there isn’t a specific level of performance.
What do we need to implement this Performance Measurement?
- Collecting data.
- Analyze collecting data.
- Identify Corrective Actions.
- Develop Business Case.
- Apply Corrective Actions.
By building Performance Measurement for Information Security we facilitate decision making and improve effectiveness/efficiency of information security service delivery.
No comments:
Post a Comment