Information Security Processes

Supporting ISG Deployment - Part V

What ever your perspective may be, the importance of effective and efficient ISG cannot be overlooked in the current global high technology environment. Considering what is at stake for most entities, when security is compromised, usually justifying ISG deployment based on one viewpoint narrows managerial suitability and expected benefits. In the final analysis, combining the discussed individual abstraction level may provide the most appropriate support for institutionalizing ISG.

“View Part I of the Supporting ISG Deployment series here“

Supporting ISG Deployment - Part IV

If, however, you assume ISG provides financial and/or reputational benefits, potential stakeholders are presumed to rely upon governance elements prior to investing their time, talent, and/or money. Therefore, ascertaining the effectiveness and efficiency of entity-centric information security objectives, through adequate monitoring, is rudimentary to sound business practices for satisfying stakeholder safeguarding expectations. In this regard, effectiveness and efficiency evaluation requires measurement against established standards. The performance measures should be established when standards are created or adopted. Techniques utilized for ISG implementation include: maturity modeling, budgeting, benchmarking, and gap analysis. Base on the perceived opportunity for enrichment, with provable risk reductions, publicized superior ISG deployment may attract additional investors.

“View Part I of the Supporting ISG Deployment series here“

Supporting ISG Deployment - Part III

Alternatively, if you perceive ISG as a descriptive prescription for achieving managerial objectives, the adopted ISG methodology should provide security assessments defining strategic, tactical, and operational risks. Management usually is vigilant regarding the cost of controls and the benefits that can be derived from controls deployment and utilization, while achieving an entity’s strategic direction. Concurrently, auditors are concerned with the impact of information security controls on an entity’s internal control system. To redress cost-benefit, strategic direction as well as control impact issues, ISG effectiveness and efficiency directly related to managerial responsibility, accountability, and authority structure should be demonstrated through appropriate measurement tools. Therefore, at the methodological root, understanding ISG roles are considered crucial to managing secure processes.

“View Part I of the Supporting ISG Deployment series here“

Supporting ISG Deployment - Part II

If you envision ISG as a framework servicing entity and ‘IT governance‘, then structurally, ISG should be implemented as an organizational program with objectives, goals, policies, procedures, standards, and rules designed to accomplish management’s intentions. To drive safeguarding controls, ISG should receive ’significant program’ status because other entity and IT programs are directly impacted by ISG effectiveness. Furthermore, efficiency of controls should be obtained through models available to assist in deploying ISG.

“View Part I of the Supporting ISG Deployment series here“

Supporting ISG Deployment - Part I

Traversing to and aligning with potential ‘Governance Tree‘ third-tier abstraction levels; information security governance (ISG) can be viewed as a framework, methodology, or technique. Framing ISG enables a “system of controls” assisting in assuring organizational goals and objectives are achieved effectively and efficiently. Methodologically, ISG furnishes descriptive details of the role direction and controls play in achieving entity-centric objectives. Lastly, as a technique, ISG provides processes and steps that can generate superior financial and/or reputational returns for stakeholders.

Measuring Delivery Value - Part IV

Performance measurement is a control activity. Measurement techniques are the means for effective information security performance monitoring. “Selective measurement utility is realized when a critical few indicators permit accurate and timely information for decision-making and, by extension, appropriate information assets protection.” KPIs provide the critical measuring technique for aligned objectives and goals. Adequate KPIs permit comparative analysis for assessing resource deployment and utilization success. When processes are evaluated within the pre-established context, KPIs enable rapid resource mobilization, substitution and/or elimination for organizational objectives fulfillment.

“View Part I of the Measuring Delivery Value series here“

Measuring Delivery Value - Part III

Information security service management can include financial and non-financial indicators to enable performance assessments. However, selected indicators must represent a mathematically measurable quality. An adopted KPI should have an established target, associated with a completion date and a path for improvement. Furthermore, an adequate KPI enables determination of the degree of change from the current state to future expectations. Considering the current state requires comparison to accepted standards for performance measurement. For instance, an information security goal might address access privileges. Consequently, the “time to grant access privileges” KPI would specify whether the measurement duration is in minutes, hours or days. Reflecting the established time basis, a target for the KPI can be derived. Therefore, “reduce time to grant access privileges by four percent per year” communicates a clear target that employees should understand and undertake specific actions to accomplish.

One of the managerial challenges for process-driven entities is integrating ‘leading indicators’ into KPIs. Similar to leading economic indicators, information security leading KPIs enable swift conditional service delivery responses to ‘code red’ impact alerts. If leading indicators are properly implemented, management can preemptively adjust a process (or processes) before the expiration date on achieving an expected outcome.

“View Part I of the Measuring Delivery Value series here“

Measuring Delivery Value - Part II

Procedurally, once information security management has analyzed the entity-centric mission, identified stakeholders, and defined objectives; goals must be established with appropriate performance indicators for status assessments. “Practical information security service delivery and support utilization requires identification of a critical few measurement indicators in each of the relevant measurement domains that align safeguarding initiatives to targeted processes and activities. At the detail-level, these few critical measurements represent key performance indicators [(KPIs)] tailored to gauge objective achievement elements. To effectively drive performance alignment, entities should utilize expected outcomes to enable multiple measurements identification so the positive impact safeguarding investments contribute are visible.”

KPIs are utilized to measure achievements through comparative analyses. Information accuracy and consistency are rudimentary to measurement reliance. If KPIs are going to reliably convey activity status, management must accurately define and consistently measure expectations. That is, activity calculation inputs must be understood and accepted by those accountable for expected performance until revision notification.

“View Part I of the Measuring Delivery Value series here“

Measuring Delivery Value - Part I

Considering adamant demands for continuous process improvements, focus on overall information protection and delivery value in terms of enabled services has become a managerial necessity. Information Security Service Management is a set of processes enabling and potentially optimizing IT security services for an entity in order to satisfy business requirements, while simultaneously providing strategic and tactical IT security infrastructure management. Consequently, information security service level management should be considered quality of service administration permitting demonstrable process improvement contributions. Measuring, monitoring and reporting on information security processes assist in ensuring organizational objectives are achieved.