Measuring information security performance

As a follow-up to my post on “How to approach baselining for better asset security,” I will discuss the benefits of measuring information security performance.

Security measurement allows managers to make informative decisions based on quantitative data. Once an information assurance process is in place, it must be measured to validate its effectiveness. With the increased complexities of system integration, security controls can degrade overtime. Therefore, a proper baseline with detailed documentation can help facilitate measurements.

Documentation is truly the key. Detailed documents defining the configurations, processes, standards, and information security controls help define the baseline for performance measurements. Through such well-defined documents, conclusions can be made based upon evidence, not assumption. So what metrics constitute the best performance measurements? Let’s discuss a few.

There are many industry standards that can help an organization build a personalized framework to measure their performance against. Some include the Generally Accepted Systems Security Principles (GASSP), ISO 17799, and the Standard of Good Practice for Information Security. These standards, along with other compliance and regulatory standards such as SOX, HIPAA, PCI-DSS, GLBA, and FISMA, serve as minimal requirements to protect an infrastructure. I wrote an article that addresses creating a security framework beyond such standards, and will supply the link once it’s published in a few weeks.

So, organizations must document each process and system within their infrastructure and assess their controls. This assessment can be made against the above listed standards for a baseline measurement of security performance. At the end of the measurement, the gap between the implemented controls and that of the standards should be addressed immediately. This gap represents the vulnerabilities between the baseline standards and the organizations configurations. With the increase of attacks becoming more sophisticated and targeted, organizations must take proactive measures to develop a framework beyond a standard baseline. Once the article I mentioned above is published, I’ll further explain the steps required to produce that framework.