Michael walks the audience through the key focus areas in the creation of information security dashboards and discuss topics such as: What about our Information Security Program is important?
How can I represent my Information Security Program in a dashboard? What elements of my program should I measure and report on? What must happen with the output?
2. Our on-going challenge
Identifying success and measuring performance is difficult
within the information security program
• Security Managers lack an effective way to monitor current state and
track improvement within their programs
• Security staff lack guidance on program priorities
• Management and executive need awareness of how the program
supports the organization
• Business units do not understand their role in information security
Copyright 2007 – Seccuris Inc.
3. Our on-going challenge
How do we align, manage and communicate
our program in an effective manner?
By creating an
Information Security Program Dashboard
Copyright 2007 – Seccuris Inc.
4. Agenda
• Introduction to dashboards
• The role of the dashboard
• Building a dashboard for your security program
• Using your Dashboard
Copyright 2007 – Seccuris Inc.
5. Introduction to Dashboards
What is a dashboard?
• A summary view of relevant
performance information
• Visualization of up-to-date Key Performance Indicators (KPIs)
• KPIs are displayed though a collection of Performance Maps
• Can be manual, automated or “digital”
Copyright 2007 – Seccuris Inc.
6. Introduction to Dashboards
What isn’t a dashboard?
• Driving your car
• Security Information Management (SIM)
Copyright 2007 – Seccuris Inc.
9. Good Example of Dashboard
Security Management Dashboard*
High-Level Direction Malicious Attack Special Topics Security Organization
Security Committee
E-mail Privacy
Serer Virus Infections Approvals for Security
Incidents
Initiatives
Identified Contained Cleaned SubmittedReviewed Approved
Identified Contained Investigated Closed
36 30 33 16 12 9
45 30
544 311
Monthly Annual
Monthly
R e mo t e O f f i c e P o l i c y V i o l a t i o n s
Information Security
Intrusion Prevention Remote Office Security Department
Policies
Signature Updates Policy Violations Initiatives
Created Revised Approved
Low Med High Low
Identified Tested Approved Implemented Defined Scheduled Active Completed
8 3 11 M ed
89 69 54 34 6 5 44
177
67 Hi h
g
774 122
Annual
Annual
Annual
Monthly
S t a f f A g r e e me n t s Se c u r i t y A u d i t s
Incident Response Security Awareness
Staff Agreements
Security Audits
Engagements Initiatives
1
N/A Current Expired
N/ A Compl t ed
e
Identified In-progress Re-Opened Closed 0 . 5Defined Scheduled Active Defined Scheduled Active
Completed Completed
2 Cur r en t Act ve
i
699 455
4 1 4 4 1 0 4
43 12 2 30 12
Expi ed
r Schedul d
e
0
Compl t ed
e Def n ed
i
Annual
Annual
Annual Annual
Copyright 2007 – Seccuris Inc.
11. Introduction to Dashboards
What are the benefits of a dashboard?
• Demonstration of compliance
• Elimination of duplicate data entry / gathering
• Identify poor performance within the program
• Allows for measurement of current action plans and implementations
• Allows for immediate awareness and alerting
• Provides supporting information for the IT Security Scorecard
Copyright 2007 – Seccuris Inc.
12. The role of the dashboard?
Where does the dashboard fit in organizational management?
Security Information
Management
Copyright 2007 – Seccuris Inc.
13. The role of the dashboard?
Information
Security Policy
Information Security
Balanced Scorecard
Security Management
Dashboard*
Critical
System
Business
Development
Applications High-Level Security Security Secure
Direction Organization Requirements Environment
Security
Management
Management
Malicious Risk
Special Topics
Review
Attack Acceptances
Computer
Networks
Installations
*Includes KPIs from each aspect of Security Management
Copyright 2007 – Seccuris Inc.
14. The role of the dashboard?
What is the intended audience for an Information
Security dashboard?
• Primary
• CISO
• Information Security Manager
• Information Security Staff
• Secondary
• Accountable Business Unit
Management
• Business Executive
• Audit
Copyright 2007 – Seccuris Inc.
15. The role of the dashboard?
The dashboard allows us to:
• Visualize the focus areas for our program
• Facilitate awareness of organizations accountability
within the security program
• Create distinction between failure of the program and
failure of the security department
Copyright 2007 – Seccuris Inc.
16. Building a security dashboard
What are the components of a dashboard?
• Performance Maps
• Business Logic
• Visualization Rules
• Data Sources
• Critical Success Factors (CSF)
• Key Performance Indicators (KPI)
Copyright 2007 – Seccuris Inc.
17. Building a security dashboard
What are the components of a dashboard?
Security Management Dashboard*
High-Level Security Security Secure
Direction Organization Requirements Environment
Management
Malicious Risk
Special Topics
Review
Attack Acceptances
*Includes KPIs from each aspect of Security Management
High-Level Direction Security Organization
Security Committee
Board Level Approvals
Approvals for Security
for Security Initiatives
Initiatives
SubmittedReviewed Approved SubmittedReviewed Approved
12 4 1 16 12 9
Annual Annual
Information Security Security Department
Policies Initiatives
Created Revised Approved
Defined Scheduled Active Completed
8 3 11 34 6 5 44
Annual Annual
Security Awareness
Staff Agreements
Initiatives
N/A Current Expired
Defined Scheduled Active Completed
2 699 455 4 1 0 4
Annual Annual
Copyright 2007 – Seccuris Inc.
18. Building a security dashboard
The inputs & data sources of a dashboard
Information Security
Gap Analysis
Information
Security Policy
Information Security
Balanced Scorecard
Security Management
Dashboard*
Critical
System
Business
Development
Applications High-Level Security Security Secure
Direction Organization Requirements Environment
Security
Management
Management
Malicious Risk
Special Topics
Review
Attack Acceptances
Computer
Networks
Installations
*Includes KPIs from each aspect of Security Management
Information Security
Action Plan
Information Security
Action Plan
Status Report
Copyright 2007 – Seccuris Inc.
19. Building a security dashboard
The inputs & data sources of a dashboard
Information Security
Balanced Scorecard
•Defines the goals of the program
Critical
System
Business
Development •Challenging to start due to limited
Applications
access to true corporate business
drivers
Security
Management
•Often difficult to separate into
manageable, visual pieces
Computer
Networks
Installations
•How do we define CSFs for our
program?
Copyright 2007 – Seccuris Inc.
20. Building a security dashboard
The inputs & data sources of a dashboard
Information Security
Balanced Scorecard
Information Security Forum
Critical
System
Business
Development
Applications
Security
Management
•16+ years in the making
•Industry Recognized
Computer
Networks
Installations •Management Focused
•Primary source for CSFs
Copyright 2007 – Seccuris Inc.
21. Building a security dashboard
The inputs & data sources of a dashboard
Information Security Policy
•Mapped to Business Drivers
•Influenced by compliance & legislation
•Based on Best Practices
•Primary source of relevant KPIs
Example Policy:
All security incidents relating to critical business functions must be investigated and
documented.
Example KPI:
Number of Identified, In-Progress, Re-opened and Closed Incident Response Engagements.
Copyright 2007 – Seccuris Inc.
22. Building a security dashboard
The inputs & data sources of a dashboard
Information Security
Gap Analysis
SABSA
•Business driven approach
•True architecture focus
•Aligns with any best practice
•Good source of relevant KPIs
Copyright 2007 – Seccuris Inc.
23. Building a security dashboard
The inputs & data sources of a dashboard
Information Security Action Plan
•Details security program improvements
•Highlights what KPIs should be monitored
•Specifies CSF and KPI target goals
•Good source of relevant KPIs
Copyright 2007 – Seccuris Inc.
24. Building a security dashboard
The inputs & data sources of a dashboard
Information Security
Gap Analysis
Information
Security Policy
Information Security
Balanced Scorecard
Security Management
Dashboard*
Critical
System
Business
Development
Applications High-Level Security Security Secure
Direction Organization Requirements Environment
Security
Management
Management
Malicious Risk
Special Topics
Review
Attack Acceptances
Computer
Networks
Installations
*Includes KPIs from each aspect of Security Management
Information Security
Action Plan
Information Security
Action Plan
Status Report
Copyright 2007 – Seccuris Inc.
25. Building a security dashboard
Steps to define the dashboard
• Perform an Information Security Program Gap analysis
• Confirm the CSFs for the security program
• Choose and align relevant KPIs for the dashboard
• Define business logic & visualization rules
Copyright 2007 – Seccuris Inc.
26. Building a security dashboard
Performing the information Security Gap analysis
Copyright 2007 – Seccuris Inc.
27. Building a security dashboard
Performing the information Security Gap analysis
Maturity Goals Legend
0 – Non-Existent Architecture Area
1 – Initial
Current State Required Goal
2 – Repeatable
0
3 – Defined
4 – Managed
5 - Optimized 0
Good Practice
Copyright 2007 – Seccuris Inc.
28. Building a security dashboard
Information Security Program
Gap Analysis
Assets Motivation Process People Location Time
(What) (Why) (How) (Who) (Where) (When)
Business Process Business Organization and Business Geography
Business Risk Business Time
The Business Model Relationships
Model Dependencies
Contextual
4 5 5 5 5 5
Control Security Strategies and Security Entity Model and Security Domain Security-Related
Business
Objectives Architectural Layering Trust Framework Model Lifetimes and Deadlines
Attributes Profile
Conceptual
4 4 4 4 4 4
Security Processing Cycle
Entity Schema and Privilege Security Domain Definitions
Business Information Model Security Policies Security Services
Profiles and Associations
Logical
4 4 4 4
4 4
Users, Applications and Platform and Network
Business Data Model Security Mechanisms Control Structure Execution
Security Rules, Practices and
the User Interface Infrastructure
Procedures
Physical
3 3 3 3 3
3
Processes, Modes,
Security Standards Security Products and Tools Identities, Functions, Actions Security Step Timing and
Detailed Data Structures
Addresses and Protocols
and ACLs Sequencing
Component
2
3 3 3 3 3
3
Application and User Security of Sites, Networks
Assurance of Operational Operational Risk Security Service Management Security Operations
Management Support and Platforms
Continuity Management and Support Schedule
Operational
3 3 3 3 3
3
Copyright 2007 – Seccuris Inc.
29. Building a security dashboard
Information Security Program
Gap Analysis
Assets Motivation Process People Location Time
(What) (Why) (How) (Who) (Where) (When)
Business Process Business Organization and Business Geography
Business Risk Business Time
The Business Model Relationships
Model Dependencies
4 4 4 4 4 4
Contextual
4 5 5 5 5 5
Control Security Strategies and Security Entity Model and Security Domain Security-Related
Business
Objectives Architectural Layering Trust Framework Model Lifetimes and Deadlines
Attributes Profile
4 4 4 4 4 4
Conceptual
4 4 4 4 4 4
Security Processing Cycle
Entity Schema and Privilege Security Domain Definitions
Business Information Model Security Policies Security Services
Profiles and Associations
3 3 3 3
3 3
Logical
4 4 4 4
4 4
Users, Applications and Platform and Network
Business Data Model Security Mechanisms Control Structure Execution
Security Rules, Practices and
the User Interface Infrastructure
Procedures
3 3 3 3 3
3
Physical
3 3 3 3 3
3
Processes, Modes,
Security Standards Security Products and Tools Identities, Functions, Actions Security Step Timing and
Detailed Data Structures
Addresses and Protocols
and ACLs Sequencing
4 4 4 4 4
3
Component
3 3 3 3 3
3
Application and User Security of Sites, Networks
Assurance of Operational Operational Risk Security Service Management Security Operations
Management Support and Platforms
Continuity Management and Support Schedule
3 3 3 3 3
3
Operational
3 3 3 3 3
3
Copyright 2007 – Seccuris Inc.
30. Building a security dashboard
Performing the information Security Gap analysis
Maturity Goals Legend
Above Requirement
0 – Non-Existent Architecture Area
1 – Initial
Meets Requirement
Current State Required Goal
2 – Repeatable
0
3 – Defined Below Requirement
0
4 – Managed
Critically Below Requirement
5 - Optimized 0
Good Practice
Copyright 2007 – Seccuris Inc.
31. Building a security dashboard
Information Security Program
Gap Analysis
Assets Motivation Process People Location Time
(What) (Why) (How) (Who) (Where) (When)
Business Process Business Organization and Business Geography
Business Risk Business Time
The Business Model Relationships
Model Dependencies
4 4 4 4 4 4
Contextual
3 2 4 4 5 2
4 5 5 5 5 5
Control Security Strategies and Security Entity Model and Security Domain Security-Related
Business
Objectives Architectural Layering Trust Framework Model Lifetimes and Deadlines
Attributes Profile
4 4 4 4 4 4
Conceptual
3 4 4 3 4 2
4 4 4 4 4 4
Security Processing Cycle
Entity Schema and Privilege Security Domain Definitions
Business Information Model Security Policies Security Services
Profiles and Associations
3 3 3 3
3 3
Logical
2 3 3 1
2 3
4 4 4 4
4 4
Users, Applications and Platform and Network
Business Data Model Security Mechanisms Control Structure Execution
Security Rules, Practices and
the User Interface Infrastructure
Procedures
3 3 3 3 3
3
Physical
1 4 2 3 1
1
3 3 3 3 3
3
Processes, Modes,
Security Standards Security Products and Tools Identities, Functions, Actions Security Step Timing and
Detailed Data Structures
Addresses and Protocols
and ACLs Sequencing
4 4 4 4 4
3
Component
0 2 1 2 1
3 2
3 3 3 3 3
3
Application and User Security of Sites, Networks
Assurance of Operational Operational Risk Security Service Management Security Operations
Management Support and Platforms
Continuity Management and Support Schedule
3 3 3 3 3
3
Operational
0 1 2 1 1
2
3 3 3 3 3
3
Copyright 2007 – Seccuris Inc.
32. Building a security dashboard
Performing an Information Security Program Gap
analysis
• Completion will highlight areas of your overall security
that are:
• Non-existent
• Weak / Requiring Improvement
• Over invested
• Meeting the target
Copyright 2007 – Seccuris Inc.
33. Building a security dashboard
Performing an Information Security Program Gap analysis
• Use this information to:
• Identify gaps in your information security policy
• Create action plans and improvement projects
• Confirm goals & CSFs by ensuring areas that need investment
have been appropriately defined at the strategic level
• Select KPIs that will allow you to monitor focus areas of your
program
Copyright 2007 – Seccuris Inc.
34. Building a security dashboard
Steps to define the dashboard
• Perform an Information Security Program Gap analysis
• Confirm the Goals & CSFs for the security program
• Use the Gap Analysis to identify potential CSF misalignment
• Review Information Security Program Components
• Choose and align relevant KPIs for the dashboard
• Define business logic & visualization rules
Copyright 2007 – Seccuris Inc.
35. Building a security dashboard
Where does the dashboard fit in organizational management?
Copyright 2007 – Seccuris Inc.
36. Building a security dashboard
Information Security Program
Gap Analysis
Assets Motivation Process People Location Time
(What) (Why) (How) (Who) (Where) (When)
Business Geography
Business Risk Business Time
Model Dependencies
4 4 4
Contextual
2 5 2
5 5 5
Security-Related
Lifetimes and Deadlines
4
Conceptual
2 4
Security Processing Cycle
3
Logical
1 4
Users, Applications and
Business Data Model Control Structure Execution
Security Rules, Practices and
the User Interface
Procedures
3 3 3
3
Physical
1 4 1
1
3 3 3
3
Processes, Modes,
Security Standards Security Products and Tools Security Step Timing and
Detailed Data Structures
Addresses and Protocols Sequencing
4 4 4 4 4
Component
0 2 1 2 1
2
3 3 3 3 3
Security of Sites, Networks
Assurance of Operational Operational Risk Security Operations
and Platforms
Continuity Management Schedule
3 3 3 3
Operational
0 1 1 1
3 3 3 3
Copyright 2007 – Seccuris Inc.
37. Building a security dashboard
Steps to define the dashboard
• Perform an Information Security Program Gap analysis
• Confirm the Goals & CSFs for the security program
• Use the Gap Analysis to identify potential CSF misalignment
• Review Information Security Program Components
• Choose and align relevant KPIs for the dashboard
• Define business logic & visualization rules
Copyright 2007 – Seccuris Inc.
38. Building a security dashboard
Confirm the Goals & CSFs for the security program
• Review current security plan documentation
• Does Gap analysis output align with the Security Program
Scorecard?
• Are there weaknesses that must be improved on?
• Change Security Program documentation to include new goals
and CSFs
Copyright 2007 – Seccuris Inc.
39. Building a security dashboard
Steps to define the dashboard
• Perform an Information Security Program Gap analysis
• Confirm the Goals & CSFs for the security program
• Choose and align relevant KPIs for the dashboard
• Define business logic & visualization rules
Copyright 2007 – Seccuris Inc.
40. Building a security dashboard
Choose and align relevant KPIs for the dashboard
• Brainstorm using current security program as a starting point
• Review Gap Analysis for potential new KPIs
• Review “good practices” for relevant indicators
• Choose KPIs that help influence your goals
and visualize your CSFs
Copyright 2007 – Seccuris Inc.
41. Using Standards to pick KPIs
Critical
System
Business
Development
Applications
Security
Management
Computer
Networks
Installations
Copyright 2007 – Seccuris Inc.