What is your Information security posture? Is there a way to put a measurable score for information security? Can I set a SMART Infosec KPI? If these questions ever crossed your mind, then you are probably at the right place.
I try to address these questions by creating a Score Card for Information Security. Let's start with a Basic framework by collating all the Infosec related activities we do or wish to do to improve our confidence on our Systems and Processes. Allocate a weight to every activity and roll up to create a final score. The maximum achievable score helps you set a goal. The progress in terms of a measurable score helps to assess yourself and communicate better with Business. I like to call this score my Information Security Index.
Simple isn’t it? But, how good is an score if you are the only player? Why not create an index that will be aligned to some industry standard and can be put on a public domain for like minded people to assess themselves. This makes me share with you a sample framework that most of us can relate with:
A set of Master Controls measures try to capture the overall Security Score or Index.
1. ISMS FrameWork Management Controls (e.g, Certification status, Enterprise Risk controls, etc.,)
2. Human Resource Security (Internal Security/ People measures)
3. Asset Management (Inventory/Ownership/Disposal best practices etc.,)
4. Access Control (Internal and External)
5. Cryptography (Data encryption processes)
6. Physical and Environmental Security (Administrative/IT/HR best practices)
7. Operations Security (Documentation Process, Backup and Logging, etc.,)
8. Communications Security (Data/Voice Network related controls)
9. Information Systems Acquisition Development and Maintenance (Application/Infrastructure and Services)
10, Supplier Relationships
11. Incident Management
12. BCM
13. Compliance (IT Governance)
Each one of the above parameters have a weightage aggregating to 100. Further, every Control measure has a subset of measurable tasks resulting in percentage compliance score of each control. Since, Info-security is a moving target, the measures may be reviewed every year.
Does it sound interesting? How do YOU measure info-security? Would you like to share your views?
Comments