1 / 32

Information Security Benchmarking

Agenda. Benchmark overviewDefinitions, benefits, RedSiren and other approachesSurvey instrument, control areas, and historical databaseScoring guidelines and scoring assignmentsBenchmark results presentation (comparison figures)Use of benchmark results for planningAnalysis of historical dataQuestions we are always askedISSA Health Check Benchmark exercise.

arleen
Download Presentation

Information Security Benchmarking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Information Security Benchmarking

    3. Benchmarking Definition The benchmarking tool is a quantitative means of measuring the level of security within an organization Used to compare an organization’s level of security: With other similar organizations Against a baseline of due care In terms of past evaluations Used for reporting to management and as a planning guide

    4. Other Benchmark Approaches The Center for Internet Security—Configuration benchmarks; detailed technical best practices; “HOW” to implement requirements; scoring tool; developed by teams via the CIS—http://www.cisecurity.org/ US National Institute of Standards and Technology—Checklists forming a framework for security settings and deployment; standard templates; user comparisons against checklists; NIST provides process and repository; http://csrc.nist.gov/pcig/cig.html The Benchmarking Network—Resource for benchmarking training and research; broad scope of focus areas; benchmark studies to identify best practices; http://www.benchmarkingnetwork.com/ Information Security Forum—Benchmarking tool available to ISF members; survey questions map corporate activities to the ISF Standard of Good Practice; extensive set of questions; correlation analysis between good information security practices and a reduction in incidents; http://www.securityforum.org/html/bench.htm Human Firewall—Free surveys covering security awareness and security management practices (based on ISO 17799 areas); http://www.humanfirewall.org/

    5. Key Aspects of RedSiren’s Benchmarking Approach Quantitative: For an issue inherently non-quantitative Survey instrument: Up to ~400 questions (control measures) Self-administered: Using consistent scoring guidelines Comparisons: Absolute (due care) & relative (others organizations) Database: Previous benchmarks of similar organizations Configurations: ISO17799, GLBA, HIPAA, SOX Results: Management-oriented and implementation-oriented

    6. Benchmark Benefits Results are management oriented: Quantitative Succinct Comparative with others Process facilitates understanding and communications Natural means for planning (strategic and tactical) and monitoring security projects

    7. RedSiren Benchmark Overall Approach

    8. Benchmark Survey Instrument Questions are designed to elicit quantitative estimates, as shown in the following examples A. POLICIES AND AWARENESS A.01 Information security policy standards and guidelines A.01.01 Develop and promulgate an entity-wide information security policy 0—1—2—3—4—5—6—7—8—9—10 N/A Unk A.01.02 Develop and issue standards and guidelines to support the information security policy for all major platforms and applications (including mainframes, networks, management and administration, UNIX, NT, Novell, etc.) 0—1—2—3—4—5—6—7—8—9—10 N/A Unk A.01.03 Implement and promote a data confidentiality policy based on “need-to- know” or “need-to-withhold” 0—1—2—3—4—5—6—7—8—9—10 N/A Unk

    9. Benchmark Survey Instrument Legacy organization—19 areas Reconfiguration of original survey instrument questions to match other widely accepted security standards ISO 17799 HIPAA GLBA Special security areas developed for specific scope concerns E-Commerce Wireless Process Control

    10. Control Areas

    11. Legacy Benchmark Control Areas Policies & Awareness Organizational Roles & Responsibilities Authorizations, Agreements, & Contracts IS Audits, Reviews & Risk Assessments Physical Security WAN, Backbone, & External Network Security LAN, Client/Server, & Intranet Security User Identification & Authentication Computer & Network Systems Security Security Audit Logs & Monitoring Protection From Malicious Software Backup & Recovery Configuration & Software Management System Development IT Operations Voice System Security Workstation Security Electronic Commerce Outsourcing

    12. Benchmark Database and Project Statistics Historical 25-35% financial (banks, brokerage, credit unions, insurance, S&Ls) 10-20% petroleum 10-15% manufacturing 3-10% computer service, digital enterprise, entertainment, government/utilities, medical, pharmaceutical, R&D, telecommunications, transportation Industry focused—airlines, banks, chemical, entertainment, petroleum Current On-going update Based on: Single organization benchmark projects (~50-70%) Task of larger security projects (20-40%) Industry focused (~10-20%) Number per year varies (5-20+)

    13. Scoring Scoring is based on a scale of 0 to 10 0 is defined as no control in the area 5 is defined as baseline level of control 10 is defined as highest level (possibly excessive) control A score below 5 – An auditor would have a finding A score of 5 or above – An auditor might have suggestions for improvements but no major findings Scoring concept “Do you have the control in question?” NO—“How well is the control in question implemented?” YES—“What is the quality and how extensive throughout the enterprise is the control in question?” Scoring guidelines developed for consistency General Specific to individual questions Scoring Guidelines

    14. Illustrative Scoring Example Use of door locks on interior areas housing sensitive IT equipment or stored information

    15. Scoring Assignments

    17. Benchmark Scores in ISO 17799 Configuration

    18. Benchmark Scores in GLBA Configuration

    19. Benchmark Scores in HIPAA Configuration

    20. Example Gap Analysis for Critical Areas

    21. Benchmark Planning Model

    23. Analysis of Historical Benchmark Data Most Important Control Areas Policy and Awareness Organizational Roles and Responsibilities IS Audits, Reviews, and Risk Assessments Backup and Recovery User Identification and Authentication BUT Importance varies by organization AND Security should be driven by organization goals, objectives, and culture

    26. Analysis of Historical Benchmark Data Strongest Control Areas Voice Systems Security E-Commerce Security Controls Physical Security Backup and Recovery IT Operations Weakest Control Areas Workstation Security IS Audits, Reviews, and Risk Assessments Organizational Roles and Responsibilities Policy and Awareness LAN, Client/Server, and Intranet Security

    27. Questions we are always asked Can we be compared to our direct peers—only those organizations in our industry? Yes and no ? Financial organizations Special industry-based benchmarks How do you ensure meaningful scores and avoid bias? Scoring guidelines Training Law of large numbers—number of questions, number of scorers Who should do the scoring in our organization? See scoring assignment tool

    28. ISSA Health Check Benchmark 3 control areas Privacy and Confidentiality Business Process Risk—Checks and Balances Technical Infrastructure 15 security question Scoring level 1-5 1 Nothing 2 Weak 3 Marginal 4 Sound 5 Best of class Survey instrument with check boxes for scores Scoring guidelines for each of the five levels Fill out the survey instrument (scores, organization, and e-mail address) We will compile data and present results Aggregate scores only, no attribution to a specific organization

More Related