ISIM

Biometric Technology - Part IV

Technology attacks and attendant security compromises are never easily managed. Parallel to the ingenuity of attackers and proportional to the value placed on entrusted information assets, effective security access controls are imperative. Given the current accuracy of automated user identification and authentication processes, no single security system should ever be promoted as infallible. However, there is sufficient merit in most available biometric systems to warrant deployment consideration for information assets protection. Coupled with other access restriction techniques, biometric technology systems can be a formidable deterrent to unauthorized activities that may disable an entity’s information security infrastructure.

“View Part I of the Biometric Technology series here“

Biometric Technology - Part III

Through the identification or authentication process, decisions are made regarding access. Typically, biometric identification supports physical access controls, while biometric authentication supports logical access controls. With reliance on biometrics for asset protection, security managers must accept humanness features are dynamic, yet reproducible. Consequently, it is difficult to find a single perfect access security system employing physical and/or behavioral traits.

Voices change over time or under abnormal conditions and can be modulated. Handprints can be altered — by a cut or bruise — as well as replicated. Even eyes and ears can undergo biological transformation from one day to the next. Furthermore, behaviors can be affected by emotional or fatigue states. Thus, biometric systems developed for identifying and/or authenticating authorized users that eliminate all potential errors can be prohibitively time-consuming and expensive, especially in high-traffic areas.

“View Part I of the Biometric Technology series here“

Biometric Technology - Part II

Most information security practitioners accept biometrics as the science employing distinctive human attributes to discern access right validity. Specifically, imparting the Information Systems Audit and Control Association’s definition, biometrics is the process for identifying or authenticating a living person’s identity based on physiological or behavioral characteristics. Delineated, biometrics identification usually involves a one-to-many individual characteristics search utilizing linked data repositories; whereas biometric authentication entails establishing a one-to-one relationship verifying the claim to an identity made by an individual.

“View Part I of the Biometric Technology series here“

Biometric Technology - Part I

As technological advancements are increasingly immersed in routine human endeavors, few security professionals doubt the criticality for parallel and proportional achievements in information asset protection mechanisms to defend against threats from individuals or groups chasing infamy dreams. Contextually, those engaged in nefarious IT activities vigorously pursue stardom elevation by orchestrating information security attacks that render barriers to obtaining or affecting a targeted object impotent. When an information asset is deemed valuable, authorization through a single access scheme appears woefully inadequate compared to the estimated number of ‘hackers’ or ‘crackers’ probing IT operational defenses. Predictively, considering published organizational information security incidents, two or more authentication factors will inevitably become the security deployment norm, with one architectural authentication factor relying on a biometrically based process; unless superior alternative access control remedies are devised.

Measuring Delivery Value - Part IV

Performance measurement is a control activity. Measurement techniques are the means for effective information security performance monitoring. “Selective measurement utility is realized when a critical few indicators permit accurate and timely information for decision-making and, by extension, appropriate information assets protection.” KPIs provide the critical measuring technique for aligned objectives and goals. Adequate KPIs permit comparative analysis for assessing resource deployment and utilization success. When processes are evaluated within the pre-established context, KPIs enable rapid resource mobilization, substitution and/or elimination for organizational objectives fulfillment.

“View Part I of the Measuring Delivery Value series here“

Measuring Delivery Value - Part III

Information security service management can include financial and non-financial indicators to enable performance assessments. However, selected indicators must represent a mathematically measurable quality. An adopted KPI should have an established target, associated with a completion date and a path for improvement. Furthermore, an adequate KPI enables determination of the degree of change from the current state to future expectations. Considering the current state requires comparison to accepted standards for performance measurement. For instance, an information security goal might address access privileges. Consequently, the “time to grant access privileges” KPI would specify whether the measurement duration is in minutes, hours or days. Reflecting the established time basis, a target for the KPI can be derived. Therefore, “reduce time to grant access privileges by four percent per year” communicates a clear target that employees should understand and undertake specific actions to accomplish.

One of the managerial challenges for process-driven entities is integrating ‘leading indicators’ into KPIs. Similar to leading economic indicators, information security leading KPIs enable swift conditional service delivery responses to ‘code red’ impact alerts. If leading indicators are properly implemented, management can preemptively adjust a process (or processes) before the expiration date on achieving an expected outcome.

“View Part I of the Measuring Delivery Value series here“

Measuring Delivery Value - Part II

Procedurally, once information security management has analyzed the entity-centric mission, identified stakeholders, and defined objectives; goals must be established with appropriate performance indicators for status assessments. “Practical information security service delivery and support utilization requires identification of a critical few measurement indicators in each of the relevant measurement domains that align safeguarding initiatives to targeted processes and activities. At the detail-level, these few critical measurements represent key performance indicators [(KPIs)] tailored to gauge objective achievement elements. To effectively drive performance alignment, entities should utilize expected outcomes to enable multiple measurements identification so the positive impact safeguarding investments contribute are visible.”

KPIs are utilized to measure achievements through comparative analyses. Information accuracy and consistency are rudimentary to measurement reliance. If KPIs are going to reliably convey activity status, management must accurately define and consistently measure expectations. That is, activity calculation inputs must be understood and accepted by those accountable for expected performance until revision notification.

“View Part I of the Measuring Delivery Value series here“

Measuring Delivery Value - Part I

Considering adamant demands for continuous process improvements, focus on overall information protection and delivery value in terms of enabled services has become a managerial necessity. Information Security Service Management is a set of processes enabling and potentially optimizing IT security services for an entity in order to satisfy business requirements, while simultaneously providing strategic and tactical IT security infrastructure management. Consequently, information security service level management should be considered quality of service administration permitting demonstrable process improvement contributions. Measuring, monitoring and reporting on information security processes assist in ensuring organizational objectives are achieved.