1 / 26

Information Security Metrics How BCBSMN has made them work (or not) for us

Information Security Metrics How BCBSMN has made them work (or not) for us. March 24, 2009 Steve Jensen Chief Information Security Officer Blue Cross Blue Shield of Minnesota. Agenda. Why measure? What questions are we trying to answer? How do we gather the information?

agatha
Download Presentation

Information Security Metrics How BCBSMN has made them work (or not) for us

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security MetricsHow BCBSMN has made them work (or not) for us March 24, 2009 Steve Jensen Chief Information Security Officer Blue Cross Blue Shield of Minnesota

  2. Agenda • Why measure? • What questions are we trying to answer? • How do we gather the information? • Who is the audience and how do we present it? • What lessons have we learned?

  3. Metrics 101 What are Metrics? Textbook Definition Metrics is a management tool designed to facilitate decision-making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. Metrics is simply a standard or system of measurement. My Take on it A way for you to have insight into the success (or failure) of your security program. If must either give you insight to drive your decision making, or help to sell/justify your program. If it doesn’t do either, then question why you measure it.

  4. Of course, there are other reasons… • Regulatory Compliance – although not always explicitly stated in regulations, you can’t effectively operate a security program without measuring it. Besides – FUD never worked… • Executive Management Awareness – you need to be able to translate the technical IT gibberish into what executives really care about. What cost am I avoiding or what revenue am I getting. • Trending for Information Security Operations – more for you to make decisions and understand impacts of business choices • Developing Baselines to understand where our information security posture is currently – especially helpful in setting and measuring bonus and performance criteria • Helps to define “Secure” – when does security meet the overinvestment curve? • Helps to define “holes” or an “information security strategy” – fix what needs fixing, and prioritize your work

  5. What questions are we trying to answer • How secure are we anyway? • What are our priorities? • How efficient are we in delivering our service? • Are we trending in the right direction? • When do we see a diminishing rate of return, if any? • How do we add value?

  6. Example - Risk dashboard approach

  7. Must be able to quantify risks Compliance Fines Brand Erosion Loss of Customer Confidence Litigation

  8. Another Example CEO inquiry: What impact is economy having on your team?

  9. Why were they asking?

  10. Blue Cross Blue Shield of MinnesotaEconomic Impact Analysis

  11. Another example CIO Inquiry Are we spending too much or too little on security? Where do we compare to industry norms?

  12. Benchmark Assessment Process • Optimal Industry Benchmarks: • Industry • Department of Defense – x.x • Financial Institutions – x.x • Healthcare (provider) – x.x • Insurance – x.x • Blue Cross Blue Shield of Minnesota • BCBS MN established goal – x.x • BCBS MN 2006 attainment – x.x • BCBS MN 2008 estimate – x.x

  13. What are some of the things we measure?

  14. How do we gather the information • Most products come with dashboards that are not fully used – use them! • Qualys • IDS • Arcsight • Websense • Etc. • Plain old bean counting – only if data is utilized and has integrity • Build in metrics in system design when developing or fixing broken business processes as part of requirements • Request system • Role management • Risk management

  15. How do we present the metrics? • Rule #1 – know your audience! • Technology areas – technical reports/gap analysis/details • Monthly “state of security” report • Chief Information Officer • Chief Privacy Officer • VP Audit and Risk Management • Ad-hoc reporting and extracts • CEO/CFO and directs • Board

  16. Lessons Learned • Not a one time process – needs constant honing • Don’t fall in love with a metric that isn’t providing you value – be willing to toss and replace • You don’t always have to report every metric every month – rotate the story • Use your metrics as a management team to drive decisions. Don’t just measure for measurement sake • Metrics and measurements should tell the story without having to read into it too much. They should be transparent.

  17. Mocked Data – Examples of MetricsThis Data does NOT reflect BCBS and is an example only for discussion. Monthly Scorecard

  18. Mocked Data – Identity and Access ManagementThis Data does NOT reflect BCBS and is an example only for discussion.

  19. Mocked Data – Threat and Vulnerability ManagementThis Data does NOT reflect BCBS and is an example only for discussion.

  20. Mocked Data – Governance, Risk, and ComplianceThis Data does NOT reflect BCBS and is an example only for discussion.

  21. Questions?

  22. Appendix

  23. Common Framework

  24. Identity and Access Management Framework

  25. Threat and Vulnerability Management Framework

  26. Governance, Risk and Compliance Framework

More Related