|
|
|
Developing Security Metrics for Enterprise Risk Management
By: Brian Prince
2009-06-16
Article Rating:  / 2
There are 3 user comments on this Network Security & Hardware story.
Developing security metrics for your organization can be a daunting process. IT pros, however, say deciding on security metrics can be the difference between effective security and serious vulnerabilities.When Bruce Jones decided to serve as global IT security risk and
compliance manager at Eastman Kodak Company, he found he had
a challenging problem on his hands - how to create a solid
set of security metrics that could be used to communicate
risk to the rest of the business.
Roughly two-and-a-half years later, Jones can boast of a risk management program that does exactly that.
For businesses, developing the right set of metrics is a key part of
maintaining security throughout the enterprise. Metrics provide
organizations a measuring stick to use to effectively judge risk. But
establishing those standards and integrating them into a risk management program can
be a daunting task, security pros say. Enterprises should begin by
establishing clear objectives for their metrics and ensuring the
process for gathering them is repeatable and manageable.
People kind of get a mental vapor lock because its just too hard to
do everything, and they end up not doing a lot or doing nothing, said
Rich Mogull, an analyst with Securosis. Dont look at the [Center for Internet Security] benchmarks and
try to do it all at once. Take those, pick a high-priority area, make
sure you understand it, implement it well, use whatever tools you have
and move on to the next area.
At Kodak, Jones started by researching what other organizations were
doing, but found many of the approaches were either too mathematical,
required a tremendous amount of work to manage or unsuitable for
communicating with the business side of the house. What he ended up
with was a multitier dashboard that ranks items based on the
likelihood of problems and the potential impact if something went
wrong. The items in the tiers range from access management to
intrusion detection and malware.
Tier one, the highest tier, is reserved for issues that have a very serious impact and would need to be remediated immediately.
Once we got that foundation donethen we started working on our
dashboard using that tier-based approach, he continued. The goal I
had was to try and develop a dashboard that added minimal amount of
effort on the people who were going to be providing the metrics. It had
to be metrics that were readily available that people were already
tracking or were available in databases [and] were fairly easy to pull
together.
For example, the
company turns to McAfee ePolicy Orchestrator for data on the number of
viruses found and how many machines are not up-to-date
with their DAT files. For their configuration and
change management risk measure, the company uses a tool to gather
data on server compliance and pulls other information
from a database it created to collect information about
workstation configurations.
This and
other data is gathered up once a month and fed into a
dashboard. That part of the process is largely manual, Jones said.
We really
havent automated a lot of these metrics feeds, he told eWEEK, adding
he would like to make the process a little less manual. I would like
to be able to at any time go in and bring up the dashboard and see a
real picture, point-in-time measurement of what the risk posture is
rather than having to wait until the end of the month to gather the
data.
His
advice to others - start with metrics that are easy to collect and
don't take a lot of time, and consider using statistics as a foundation
so the data can be easily communicated to the business-side of the
house.
The harder
metrics are to collect and the longer it takes people to collect it the
less likely it is to succeed over time, because people are just going
to get frustrated with it over time," he said. "[Also] I highly advise
people [to] look at that statistical process control model, because
that gives you a baseline and helps you justify expenditures."
|
|
�������x}kw⸲Z�4M'6^$!�$!;Н.1�<1msO/g?q㭒���9ӫ�RTU*J7�~vv}/Iֆ5&�pfRþGu��Ijy�P|o�I=*2d`C3J4=G�Rцf�cѩS7�o��6vG4Kkb]Ƕ<ۥC5|]1H
&\DߟDQ Mg��6q_-z^8X'A;ɟ;e[tQVu ¿
kio@ׁߎ]{f
�5w',X䄍DR����M(�O�|iHu|önKG�r(07g0馡,˺y[˫A(BX>P�5x>woXC3
k`Tf;9ݞ뭛~+e5We*C|��u�u��m)yM��0��Ns#Owqq �is,/wD��UJ�`Z.�
i<��ͧ�D,/B�.oVqW-�ŃB^��٥Z,f5<�3�+i3*�,GQD~6.{vEz㳣v��l,a�R��b J{3B~3tV�7'7�7˓MvISEVl\B�:�
Og'�k*}k�lxmx05�u=�kh2�`�RZ:{dO:ǽW-2᭫Gcdp,'�Y��s53P[h,.3$��BvrZ~@X*,>J~�fX@7�'1d0C2T��ch^�ԩ!е7˫@B=88m&T�_#d��L�|]�w1p3Z&�T2�3\M��H��9k
�3!RB`7�Ņ/^ P%!PC>.\D7h+�Ԕٛ�"K�;Cx0z�B(��pHq��>�x%�E1\S75�9?�ZoV͉*]XYu�jZll.~ӢKoߵq}nUO�n�S��35ލ`�X.B2i�%!�8W5M||�G_)AbV��U�b�(7Zdl�Z2X� jXvR�ґ639�gA::)ujSϧth̦fY9z��4$�ࠡM��/�G˥qf>1�@�
L�N0i��g{ͥn]=&tfo'(Ab��CCߘRϩg�`��I
�l"�!ز=@��HhQ0\�so0�[Sˁ�@��#` �Vz>���P@X4�um'6(�����c
6Gv�60L0���g:%�tN\IQ�o�'��2r)%�E�js⣋� 4.g@)AH �=i����m��99�
�ŊH~ܑ�vZ*ƭR��P*m=!ԑtnZ*=hF3aGe�-n^
�d6g�2+ILI�]W-&D7rB��.G �7Kᙖ&ZlY,*|\O5�&F#C7` 3�{@Zgޣa�I�`0�D��D%\Ew,O�f�kzn0��-ϑmQ2G�l�a�}'� /<�qa0'�펮6O(95,X0N�}BB+H5L��ЅiЀ4XľǦ�YqL�s�SF`ߒN�̜07ÚL ~D�g�詁m>(�L5i�uϙܑMú[^���߄T�9u� \Ʉ r}͚X� 4ؐ)|&B77cnc^ʚtɕU.F�(
/'�+b*q��(�u}ãO)Eۋ�)q
SX-�8G/4- e]Zr{QE/KƠT�u�Ra__�$��)&ےx��A-ʘ�ŗZZG"��JM�P0�+e�zhxy���62�C�q�nQym�1쳧�k�]0�y5 ȔiDs�yt�J�Mb�s˖@&�@�@�wh�/C �t�bbˡL2
NaNc�}&tAݛfl2>O�X*�l�ː�3�'�JoX�*,qRժ�L�kQqA'��6a�a�{�;w�9p�ms>u�Z\�ΗV°#]61�"@0o���`{�N|YUKZQT*8Ǚ+0ϸoF�UQ@Px�ա}{4�'8k>9g⼿z�֛?�>k냽|[M9㒏�.V˰ c�Z$ co0kEt�/�@Y�cOWy�ň ұ)N<:�
7\Uj_ask'��bx�h��C\4�<�}o��(z`0d�m3>-�7sI
|O1.!y(4`VzsnC�\��WC�$�?�{ݪ#6>L:k}�SWAW}R�PZنH!�L40
Ȁ�G-vp̟0p[C�n<1W?3�>(/M3$J1N�*,7ؘAԉvgx��ֆgy�gfE-_M枡ÇcӞ
s�um/\YIq5�SϦ�|{k��^
� s\ƽQ3)F�#Bc>ϡ�]WR_��!c2�R*?�\ ;+2gP�W[`MmgwzP4F7(p�N�УG{�#l*r��*|��:vi0v'`:�}l��Ğ�AkF �;3lӅr�
3�!̋/+f6r�uA�?lۥ@q}a��n#2v">is-&�?[�nq)%\.U��K+A�b24ٷ�Cdmj{}ԏ[*}zW<�h�3P@hrGX�\ Xߵ6N31aEl�?/��q�)T�ݤ�NX�禮o�u
JU-t?rz�
"��ڐOM5*ίVՋD~=ղ,�A'��%MP�*jI�z,`we礐'G.EmR
3%!R��ӝuN@!m|K�O��
0�BG���QzA'�n7") ^zؔ:Z�ik��tH7/��1cfa28{`�\]-HǏ4 �Z�L�TPoe5_=P%U)_�$,: ?��>d,j+�BGIn��L&RO&�WLW\��ϸ_aOw;_׆}`>3�Hb>_��*L�Pȅ1�B�q]C0I\}PKDw)��,�~w9ހg�|\V*
�x9#�T�`| @-!�y?�'�b$0/�
K Rٛظ~2��_�K��LC�~UjD��3,��`މjBU\1��dncv?�X?Jv��$�}QLMg9
���#��;?�t%.mMwvH
y�{ڹI͋C<2sK4�Υ_u^syH�Dykp�ϺՒR��ۀi�pEj_~>$�O�;�/OEC�qg�2/{f�B�,
8{5b6`8TTϊU}A�[ JF@��uz΅sѼо�_x�w;Y/[R��^s%z0W�F.5�.�Y"�F�B9>o5S|O�M1k�0ѭxѤ"���!麣tgL�ʯ�h!o/5g���^�|s!�VYm�slPn4�'lS淝�/O-
V�`!�
obB!�\J5� (JM�@�$X�)��XAU:ݽ:o~��'u�N'l ���
,Щ
c~�HF�rI'z\G�>eg'u3�s^f�}�Rt4zUrwۿpעo1Ir�}J_cNfo4��~ ѶP=8�,tph縵vI��b~:)}B-N9˞�]#I^�:�_����"TS�8LZ!�&rښS�)Z@qLӆ'>(]ax!wL08@@ISŭ�s*(�I[`deٺfJl�x8eڂN)&tJ���=�)�*5˓8/qYO(Eq��K�G�39�u���ޜ-Hy9Ym ylXýMی3%�[/�,X-�Y+Ȧ#/i\A1`"�,G7�b%k`VKu^Ǣxo�'xh�SZ�C�YN=�s;*ՃĶ;Sg.'mKSw5ظvdl�:Gw*b>�,_]hNӅ[djo{t
=z;Ojw]QSmN蝦O�xq�f=7FstY�7Y4>s&�շ�v*ˑ;^�\[5("W���fk;c�ݮ�Kq"��3��á=���!'�ryuM{gQ�W��$�tNs �wjh�w낧 �� �;c��g䜁�*nne�ue��9t7qv^{;IYviam�U�z�x�J=~Vj't:�D(sN
d["2�NIJf'<�K8z �`�,Fu��d3D?�yiТ1>Rw�!.u?6vKՠ��IszI>.e~W)TR�f�o,+-R!5"�v�ًJQyeQ�j�ȓC��b67Y"~Y��Nñؤ]Gsk
?ƈu'|Ȟ}�2٩y{8^��2� G�f�3L@��Qqq�p~vn�wcJljl�� 4!Q"h�y]�٤h��2�v��0\�f�>c!�\9+�Qx��
;)6zYp�8��粈J�,O�J5�B1_r�C^H&6Ic6�$wQ�Y�]]�%#�40u|fK={ȺHk"H���Z)�7_8Mym`I2D�8�v@
�C�ii�3+jO+b�b,N?{9X;nj}b%,xFXRxIxs+Ncne%^A2��)v��SmT-(�E�@ƈ� Ʉk^q:$K �則y �$>�-�"�XɻJ|g4dݗ&a! �^\.ޕj(T�ga�YoeRpZOkO� 8�J\6a{x?GD{\~M�*��=Ly�7eY��Lփ9%�́`$A�)I|��F,��' g?���"_�R�Tz
=�Ox Xݔ�K/eQDNW%s�u#�ĨwT*JݙخIm|)l�FjIB��"pH�p"~T2�삗L@- خk*k�!k�]H&�@ �OI(b
���pHpA��m�&epJsK��߰Ǎ&T@ߩvfN!{}e�%�b�sȫ
a`��`X��a�IG�?q_ �-#@c1\!�T\DV�>I� Ъ51uyJ��4�.
0n�O=POccFN;M�MAd`h֒�_fHI��'8�&S=yd0cT2̬,Ibdf^)���Ⱦ��yr�i�~vϳYb�>pW�? _D/���`M�({7H̫4d=-��%��-{8R�7o@/j�r,&Fg�PC��ƹ6��!o;*g�(Nd�DZ+�
x=�~�-�:=BȟK��8���QIH�p':[I}lR/�AS�@�am${5"��Yl
�Mp�Ü?`z�PGn2�y+}!v;2�a(�vK_�j_n'�&�&�>y|`'����pϯ�]x?�^3�o�7#$�HtQ#E<&vDT^<(+z9�t�މ�Uho?mLtG~[(tbxEu O�]㫱�Pv:s�Cvb7�ٷް���Be&uE? p"̷ËZ4�1��ix,.6v%1h}P����#f�%1�>%ȹ=c(`+j�k-o+� ,�BΗ�9��D�NE0�7��v9wd`8(ҐˤPFpxAIٌ˃Rͥ�)�6��MEfAȢa�x�\��sI
TW�u"X�$�Zk�KX'�Yw)Y�dHo-w?1|hֈ1p*B GUٜ� ԡ�B�~pT��kR�gx!#-5נc��hslhk�6j=!`5۶=�
an&,ip�zL�Ko^3C'�ܬDe�fݮrÇ\��mQ�a�b,lWg,o%Fw�v
�~6ѿ4,\�:�LπTfUw]jh�X*Jd�i\P)O-_PJj\9�s?ͯHP*D$07�$?^O|K��@�8l9
c}_Q_o7�jݳG>;dmX1E�� ĮT�0xo/%5"¯�I{e
�>Z`ɷә��"'tjhG&vU�tTJtz�T��}Fug��#y1~bϋ:DEo1�VY�Z`3+nޖT�mmqV]���F
Rx�3�3,C��af@$]ꆆ/HHs__C�Q�q{Rl�Å���WO_ňcR>dD+9m�FN�F�7ZyLc
�|)W'���n�iVmI| .�kp�>apPsG
)�U%Wm~##d-Ã{|U��l|%w[�ƂᶭI1/u>coI }
$r�t�wǃ݂_� ѵ#F�w_
�6f^z�ZQ!NG�d�\{H�!1K=�o~{@\p
X!q,��-D|�|0XV$ʽO��g-��?X�-RWldfB"@Ր���ȟ�Ѻi~B~he{Z]
d2�k�`1]A�\�ks>:(4xd�A�!'va]Q
s�M�AE"B.'aX�Zw}؛
0>߇�p��EA��HSvG~[7?]_v�aHe
>�h0�.gj9fUtKdZ+2&�B�s�8���_]&: %�&9a� k(E�$7Xs��IA!Cc4�3Dt�k�n،�6�NjiC RK�}Ӿbb��Wo@$P ث�dcF.\�rΒj/<*�$N0XeP���*�@���`g*o�#��C�n
Q&@ؔ�͍$�u�~�f&PRb���"(�[��]ă0>]hS'+֩��x6�L
�,%g;͂
�o9�:W�e_�g�>z0u3�A3S���C´vpX->>&1.ycq�� X�^yN4xPX ��6�=�
=܇>RXX_1[��< LꪂOJ�BveX
0VRPGCF쌆}xɼk$͈ɵ7Ѭ�54?5iVt?�uWv�;7x
Z[0j��u+t:';WOۗe/85\10kyl2_T
Q�9l^28S֘ksYx�9K��xU�< /�8l�UTO|;Rf���JNp��DŽMO!~ө�p�ڽϏПxu3�K_���Σ&}An�^�[�+�!PT8i67ax[�P��Bv[�\2o�u)?AO)@/)P~ L)@y'�9�hpJ)?@�|�?#\_~4'F$�keJ9NnS73^_~�SlH��EJ/�E�|E
}/>�)_�"?/?/R�e2SJ��R~��)0){ s"?0~)�;)w@tRO�K'E\�\�5u
tݔwݔz)�^_�c
}OiпO)�B�(I+�I�h&��u2�Ay3EΚWpz~;"9J)/e�G)R*H{�V�KӔ�(Oge�S�VڍN
a�{Br!gJ@n~#�}u9+ť&W�*7iKKT3̵cn%:Hv�^_c����˼= >w�I��8j.�{] W[O'ĴZ}5_9��x=U��cLF�D4��9�|,y��|aR�1'ť,O5;H�<�xĽM�f���߃�|�r m�G�/[}Cx�`
~io'�\v���<2kݫ++c�+p'k͠~�%c"iN^Lv=�4w)6��ߊ�dUP=l{��$4�q`� t�W3,�J�7t6v3{uCZחUC=fz}2_Wԯ{ԉeB�g`X0�
H-M
ԳpNP�?�kj
�rt5pÅ�ng.kþn��@R'�g6|VZ*L��w
DD�]1$j^V�Yqi3rP*V�&���K<#
��.=M^%t fІ��;fȳRLq�
{u+�J� P����]:6�lkX�IU|��y3� @7!:i��@1(�L�o��9X�j,.#v��QW�+ �9Şy}f[�po1iR�
��`-kDY`p�䣷
d(9gi[Ìr,�9�f�ƛ�z4=�z<(>P3�l1@ө�zu�Мx�Ldp!gB-ҋKd!^yPe�D�˺U&K8;,�{x��X]��['l�ylWRۨWy�ɐ"9�'|}�kd1Mk��+#N�P<���틒ՍPFk2�AOx}T.Q
5sE�Eא�E,&J �
B�;Ʉpг-�SF}v��_ t:쭠F����|m)Ӿb,ӣ&u&�'}E�ƭXz5(}ctiVF���16�Iϐ�Vh�:�QK^av;M����Y{qW|&z�U p$.7=j"2�Dw��Άb'հzJ%H9x�Sun��c|@ăx!$�|Ny�-kl#Yұ�)ւ�_6/gз�ǁ/;ى{KV9j�(�(&�]�asጔV%$~�HR2_[=$sDr��1ߠ(b/<%���R5�\6LDRS
h�yp_܆�Ϩf�v��k�Am'{Y*l܅12J1p(��<�)O?5'[nIG\�k<>a�ipHZ*L/Tvy*s*>ݠK��A1Z<�ޖK%:Ɛ��9-��c)0�p,\f�tO��p�π!Xs�Q %7`
�\͝-Hˍ'_d%�\!dW<�lط3@WD0;"6����>¥"UXJNb��X,8.� k$�;�n]�r$C�<[_�ڵ<�oc3�)+g�wt%(�5x2;v��MV�ec$|�
_�[0~X��+m˕bA4\B�7tl%Ng�sZ�.1_��H�ʶ0Tx5
�%`GY�U`+r
8ǩ[Vmx:����y�u+e!*O�0�:��˟]챺WQٶ�7G�}ݰ�Qa[��&�n
ۊu�y˷wC\7LTV#2�
h�T�xI;s�__9V0�|:,�cz��#}#\��81F`m�ƫ
q>2�#"�$(jVI�;;A0��&iE-ȣd`C�v�_�<8-�=ӈ��A� wVǰ�YF!&;�O80�Ux|�-h\l�};M_٦9Lg�Μ"ouXS����"[]R*gA-Z�12Mo,ckV�"�K�:�%9�=�>`5>gzC%�p&&6a]`r8Lte4QS|�J)Km)胃�Ƚkz�^4ՠ��c]e,ׁ߯Y���3�_�;1o"��j�,�La��?f��Ï�L��QƷ�ڐG8#
`x�;:(1m�#�xwg1�.BK�3#�jDB�r�nŞ�bM��r5��/ u'm^%=^+ 8i}]@csXg˱#:Qo̵�o
�@���oL�)_/`0N(i_U~b�x,I��Y��dݸ�C2��~P,u\N3R+��C��(��~t�kR5M3%�7xDČ�:WrN-WUj;#��r�&3vEQ�ycұz3���Qj5xj�T~A�{�3"ta?y_�&`��%NJ�+
n&KN�.;-=苍��GqYȾ�Ww���؝p�+�_WuNr�`l;$\c_��=ʴ�`f
u$��B��֢芙9dn}3�Q|>�@",��5�d���#h�@7�@`�
]XqG�om��V*)pF#~O7 5����� 4��]e�57!h��
+{X�ެ5�%
BdҶvK���=B�iB~'lbELy( n&oߒ9~��X=^?�)e��6�fAC]&,#֑�<.��|puz.-50N@\t;God=�eb�1!53���FIr=̢
ʼn7�@�{�sfxͽ�: �<҂ƍ�OicZ̦���Y
mЮ= ��"�k[]���|1=NՁ{b�#@Pje�h7�~,�7aY��S\vLD6;H}zp`�-o�n�T3 {J���WP
�B�NwbShH�2��H�&D�~�p
_�L�{r7��>�)W�o�;�nI��Ydl<�1ZXp1�/s#q/IyNnڽ��(�|>ci�M�xh�;~J>G
ߨv�7Oy�j7E
oyIՈAIvB�G�9��1"�e^[%+}aW�x.qx�7�s�r)rS`0[�TԤ{�P-imϵ �z,Z~+�$
7=a�.ιČc0��ŮᯏdD�.}yQn;j=q/�X3xZcc7�"qkrl�v�-�lT3�J3$-|y
$� $ЋW)ؔI8P0���x;wCJȫ�y��a
N/f��c���1j3`A3
�r2#ǎZv<7�GV#_+����<+y҆�=2�#�^.V����䫅J|�ޕ`X-DjF�Lfp8v0m�Mja.u)Mۣ��Lö#쐡�xq T&ށ\<ʮLCV��
�ւ-}}>op
�=�N;=y>|(h)p%4y^ W-zu��%X!6�[ΣVYpEqs}w�?�5pxy"��M9-ZQs}J`�bwzW͓xE��;&{�a.�6���%#�t F*7�B5_WbDH|j|g1dL)
p3�b�@)V�`mYv�mؾ^f6@Uf̷��BS+7�k+۔K�+w�3+&FD�Oe��V&چe/ao"x>��
|
Network Security & Hardware 
