ISSM

Measuring Delivery Value - Part IV

Performance measurement is a control activity. Measurement techniques are the means for effective information security performance monitoring. “Selective measurement utility is realized when a critical few indicators permit accurate and timely information for decision-making and, by extension, appropriate information assets protection.” KPIs provide the critical measuring technique for aligned objectives and goals. Adequate KPIs permit comparative analysis for assessing resource deployment and utilization success. When processes are evaluated within the pre-established context, KPIs enable rapid resource mobilization, substitution and/or elimination for organizational objectives fulfillment.

“View Part I of the Measuring Delivery Value series here“

Measuring Delivery Value - Part III

Information security service management can include financial and non-financial indicators to enable performance assessments. However, selected indicators must represent a mathematically measurable quality. An adopted KPI should have an established target, associated with a completion date and a path for improvement. Furthermore, an adequate KPI enables determination of the degree of change from the current state to future expectations. Considering the current state requires comparison to accepted standards for performance measurement. For instance, an information security goal might address access privileges. Consequently, the “time to grant access privileges” KPI would specify whether the measurement duration is in minutes, hours or days. Reflecting the established time basis, a target for the KPI can be derived. Therefore, “reduce time to grant access privileges by four percent per year” communicates a clear target that employees should understand and undertake specific actions to accomplish.

One of the managerial challenges for process-driven entities is integrating ‘leading indicators’ into KPIs. Similar to leading economic indicators, information security leading KPIs enable swift conditional service delivery responses to ‘code red’ impact alerts. If leading indicators are properly implemented, management can preemptively adjust a process (or processes) before the expiration date on achieving an expected outcome.

“View Part I of the Measuring Delivery Value series here“

Measuring Delivery Value - Part II

Procedurally, once information security management has analyzed the entity-centric mission, identified stakeholders, and defined objectives; goals must be established with appropriate performance indicators for status assessments. “Practical information security service delivery and support utilization requires identification of a critical few measurement indicators in each of the relevant measurement domains that align safeguarding initiatives to targeted processes and activities. At the detail-level, these few critical measurements represent key performance indicators [(KPIs)] tailored to gauge objective achievement elements. To effectively drive performance alignment, entities should utilize expected outcomes to enable multiple measurements identification so the positive impact safeguarding investments contribute are visible.”

KPIs are utilized to measure achievements through comparative analyses. Information accuracy and consistency are rudimentary to measurement reliance. If KPIs are going to reliably convey activity status, management must accurately define and consistently measure expectations. That is, activity calculation inputs must be understood and accepted by those accountable for expected performance until revision notification.

“View Part I of the Measuring Delivery Value series here“

Measuring Delivery Value - Part I

Considering adamant demands for continuous process improvements, focus on overall information protection and delivery value in terms of enabled services has become a managerial necessity. Information Security Service Management is a set of processes enabling and potentially optimizing IT security services for an entity in order to satisfy business requirements, while simultaneously providing strategic and tactical IT security infrastructure management. Consequently, information security service level management should be considered quality of service administration permitting demonstrable process improvement contributions. Measuring, monitoring and reporting on information security processes assist in ensuring organizational objectives are achieved.

Measuring Performance - Part IV

Selective measurement utility is realized when a critical few indicators permit accurate and timely information for decision-making and, by extension, appropriate information assets protection. Individually, measurement techniques are the means for effective IT security performance monitoring. Collectively, IT security services financial management and maturity modeling are powerful high-level tools for assessing the achievement of objectives and goals.

“View Part I of the Measuring Performance series here“

Measuring Performance - Part III

IT security maturity modeling can measure the established control environment and controls within processes. Typically, the defined maturity modeling scale addresses entity-centric processes from an ad hoc to an optimized level. Specifically, a robust maturity model furnishes high-level guidance that aids in appreciating what is required for productive IT safeguarding. Furthermore, an entity-centric service maturity model equips management with the ability to position information assets protection on the maturity scale. Beneficially, after identifying critical IT processes and related controls, maturity modeling enables gaps in capabilities to be identified and presented to management through benchmarking, while illuminating necessary service improvements. Action plans can then be developed to bring identified processes within the desired IT security services target level.

Benchmarking (also known as “best practice benchmarking” and “process benchmarking”) is a process primarily employed for strategic management, in which entities evaluate various aspects of active processes in relation to best practices, usually within their designated business sector. This then allows an entity to develop plans on how to adopt accepted best practices, typically with the intent of improving some facet of performance. Benchmarking may be a singular event, but is commonly treated as a repetitious process in which entities continually seek to challenge their practices.

“View Part I of the Measuring Performance series here“

Measuring Performance - Part II

Financially-related information is generated to establish cost-oriented steering towards achieving entity-centric objectives and goals. Generally, aggressive expenses administration and accurate costs redistribution improve financial resources availability. However, the IT security financial management process for service delivery and support should redress entity-centric cost accounting requirements.

Financial budgeting is the generally accepted means to quantify forecasted activity for a program. Through subsequent utilization, program budgeting provides the ability to determine the cost effectiveness of an entire IT security program or single process. Judicious financial management requires devising financial measures, allocating direct and indirect total and per unit costs for producing services, evaluating costs saved or avoided and benefits generated. Budgeted technical support should have a direct correlation with the service operating plan to avoid under or over allocation of resources. Consequently, variances within the budget should be performed to monitor spending. In addition, IT security management should review cost-benefit analyses to verify appropriate expenditure justifications.

“View Part I of the Measuring Performance series here“

Measuring Performance - Part I

Though IT security service management can include a plethora of indicators, adequate service value measurement is not demonstrated in the sheer number of indicators considered. Practical IT security service delivery and support utilization requires identification of a critical few measurement indicators in each of the relevant measurement domains that align security initiatives to targeted processes and activities. At the detail-level, these few critical measurements represent key performance indicators tailored to gauge objective achievement elements. To effectively drive performance alignment, entities should utilize IT configuration expected outcomes to enable multiple measurements identification so the positive impact safeguarding investments contribute are visible.