Practical Network Security: Course Contents | ALC Training News

  • No comments
1. Introduction
  • Your tutor and classmates
  • The purpose of information security metrics – what they are for
  • The demand for information security metrics, in particular the business drivers
2. Audiences for information security metrics
  • Both within and beyond the organisation
  • Who needs the measurements?
  • What do they need them for?
3. Types of information security metrics
  • Different types for different purposes
  • Strategic, tactical and operational management levels
  • Quantitative and qualitative metrics – complementary rather than alternatives
4. Sources of metrics
  • Where to look for metrics – sources of inspiration such as standards, methods and books
  • Adapting and improving existing metrics
  • How to design and develop custom metrics to satisfy your organization’s unique measurement needs
5. Using the GQM method
  • Determine the organisation’s business Goals relating to information risk, security, privacy, compliance etc.
  • Pose actual and rhetorical Questions relating to achievement of the goals
  • Derive Metrics to answer those questions
6. Metametrics (metrics about metrics)
  • A pragmatic approach to characterise, score, evaluate, shortlist and ultimately improve the value delivered by information risk and security metrics
  • Systematically assess and score possible metrics using the P.R.A.G.M.A.T.I.C. method
    • Predictive – good metrics tell you something useful about the future
    • Relevant – to the organisation and its information risks and security controls
    • Actionable – it should be obvious what to change to improve a bad metric
    • Genuine – difficult to fake or game the system
    • Meaningful – informs and resonates with the intended audience/s
    • Accurate – sufficient precision for proportional control
    • Timely – available when needed to make decisions and act
    • Independently verifiable – fact/data-based, not purely subjective
    • Cost-effective – a metric must save/deliver more value more than it costs
7. The metrics lifecycle
  • Metrics management, from cradle-to-grave
  • Metrics maturity – systematically reviewing and improving metrics
8. An information security measurement system
  • Designing a coherent ‘system’ for measuring various aspects of information security
  • Taking a broader perspective on the data, analysis, presentation and use of metrics
  • Metrics as an essential, integral component of an information security management system (e.g. ISO/IEC 27001, NIST CSF, CIS …), and of corporate management as a whole
9. Conclusion
  • Summing up
  • Reflect on take-home messages
  • Action plans, putting the learning to work

ALC Training