Effective Operational Security Metrics

Effective Operational Security Metrics Preventsys, Inc. 2131 Palomar Airport Road Suite 200 Carlsbad, CA 92011 USA T: +1 760.268.7800 F: +1 760.476.1011 info@preventsys.com www.preventsys.com P R E V E N T S Y S W H I T E P A P E R E F F E C T I V E OP E R A T I O N A L S E C U R I T Y M E T R I C S
Copyright ©2005. Preventsys, Inc. All Rights Reserved. Preventsys® is a registered trademark of Preventsys, Inc. PolicyLabT, RedAlert Threat IntelligenceT, Preemptive Threat DefenseT, SmartShieldT and SMART EngineT are trademarks of Preventsys, Inc. All other trademarks are the property of their respective owners. All content included in this Document, including trade names or trademarks, service names or service marks, text and graphics (collectively the "Content") and the selection and arrangement thereof, are the sole and exclusive property of Preventsys, Inc. However, subject to the Terms of Use and other written agreements you may have with Preventsys, Inc., you are free to view, copy, print, and distribute the Content as long as: ƒ The Content is used for non-commercial purposes only within your organization in support of Preventsys, Inc. products. ƒ The Content is not distributed in any form to any third party. ƒ The Content is used for information purposes only. ƒ Copies of the Content include all Preventsys, Inc.'s copyright or other proprietary notices. Except as specified above, nothing contained herein shall be construed as conferring by implication, estoppel or otherwise any license or right under any patent, trademark or copyright of Preventsys, Inc. or any third party. This document is subject to change without notice.
CO P Y R I G H T ©2005 PR E V E N T S Y S , IN C . i P R E V E N T S Y S W H I T E P A P E R E F F E C T I V E OP E R A T I O N A L S E C U R I T Y M E T R I C S
TABLE OF CONTENTS
INTRODUCTION..................................................................1 1. VULNERABILITIES ............................................................................... 5 2. CONFIGURATION................................................................................ 6 3. POLICY VIOLATIONS ........................................................................... 7 4. EXPOSURE TO EXTERNAL THREAT ........................................................ 8 5. IT SECURITY RISK ............................................................................... 9 6. REMEDIATION................................................................................... 11
SUMMARY.......................................................................12

CO P Y R I G H T ©2005 PR E V E N T S Y S , IN C . ii P R E V E N T S Y S W H I T E P A P E R E F F E C T I V E OP E R A T I O N A L S E C U R I T Y M E T R I C S
Introduction
Security professionals are constantly being asked to justify every security project. Security risks can often be difficult to measure and even more difficult to understand by people outside the department. The key to demonstrating improvement is to translate security information into business terms. The ability to identify the type, quantity, frequency, audience and presentation of appropriate security metrics can increase the value of a CISO or security professional to the management team. More importantly, metrics provide a mechanism for IT Security Risk management and feed a process towards continuous security improvement. If you manage security through a unified business process you will be able to easily quantify improvements in security and prove risk reduction, create a repeatable practice, and ultimately demonstrate results over time. After all, you can not effectively manage what you can't measure. If you are not yet managing security with measurable operational metrics, you will be soon. There's no escaping the fact that as part of any business, operational security metrics will become mandatory for demonstrating status and progress in this new business climate. In the past, information security has been tactical and reactive as opposed to managed and measured. Due to the changing regulatory environment and the complexity of business today, organizations are facing increased accountability. To follow best practices, organizations must align, manage, and measure security around business opera... [download for more]