Practical Network Security: Course Contents | ALC Training News
- No comments
1. Introduction
- Your tutor and classmates
- The purpose of information security metrics – what they are for
- The demand for information security metrics, in particular the business drivers
2. Audiences for information security metrics
- Both within and beyond the organisation
- Who needs the measurements?
- What do they need them for?
3. Types of information security metrics
- Different types for different purposes
- Strategic, tactical and operational management levels
- Quantitative and qualitative metrics – complementary rather than alternatives
4. Sources of metrics
- Where to look for metrics – sources of inspiration such as standards, methods and books
- Adapting and improving existing metrics
- How to design and develop custom metrics to satisfy your organization’s unique measurement needs
5. Using the GQM method
- Determine the organisation’s business Goals relating to information risk, security, privacy, compliance etc.
- Pose actual and rhetorical Questions relating to achievement of the goals
- Derive Metrics to answer those questions
6. Metametrics (metrics about metrics)
- A pragmatic approach to characterise, score, evaluate, shortlist and ultimately improve the value delivered by information risk and security metrics
- Systematically assess and score possible metrics using the P.R.A.G.M.A.T.I.C. method
- Predictive – good metrics tell you something useful about the future
- Relevant – to the organisation and its information risks and security controls
- Actionable – it should be obvious what to change to improve a bad metric
- Genuine – difficult to fake or game the system
- Meaningful – informs and resonates with the intended audience/s
- Accurate – sufficient precision for proportional control
- Timely – available when needed to make decisions and act
- Independently verifiable – fact/data-based, not purely subjective
- Cost-effective – a metric must save/deliver more value more than it costs
7. The metrics lifecycle
- Metrics management, from cradle-to-grave
- Metrics maturity – systematically reviewing and improving metrics
8. An information security measurement system
- Designing a coherent ‘system’ for measuring various aspects of information security
- Taking a broader perspective on the data, analysis, presentation and use of metrics
- Metrics as an essential, integral component of an information security management system (e.g. ISO/IEC 27001, NIST CSF, CIS …), and of corporate management as a whole
9. Conclusion
- Summing up
- Reflect on take-home messages
- Action plans, putting the learning to work
Ready to take your career to the next level?
Recent Posts
- ALC’s Cyber Scholarship Program – A Community Support Initiative
- ASD scraps Cloud Security Certification Program – Now What?
- Cybersecurity in your pocket: The essentials of mobile malware
- Where to Start with Digital Transformation?
- InfoSec Skilled Workforce Shortfall – Reality?
- What is the Office 365 Security & Compliance Centre?