In this video, Kip Boyle breaks down targeted measurements in an information security program. Learn where to make information risk measurements in your organization.
- [Instructor] Now it's time to figure out where you will measure your information risks. Talk this decision over with your key stakeholders, your boss, the business owner of the high value information assets you're protecting, the other people you will report the results to, and anyone else you will request support and resources from to manage the risks you find. Based on your conversations, you'll set the scope of your measurements. Do you want to produce summary scores for the entire organization, or just certain regions or offices, or for a particular line of business, or just a particular information asset, regardless of location.
It's okay for your scope to be a blend of these choices. Once you understand the logical, organizational and geographical boundaries, map out who is responsible for performing the controls you want to measure. Your first step is to figure out which controls are centralized. The answer is determined by looking at the people, processes, technologies and management team which perform the control for the entire organization. A good example is the corporate IT networking team. Next, figure out which controls are distributed.
Once again, the answer is determined by the location of the people, processes, technologies, and management which perform the control only for a specific office or line of business. For example, you may have a desktop support team for the Boston office, but that wouldn't be the same as a support team that operates from Boston but serves the entire organization. Or, maybe you have a hybrid situation where more than one group is involved. An example is when a manager in a remote office approves the creation of a new user account, but the account is actually created by a centralized team in a different part of the organization.
If so, list the groups by name. It's okay to measure the control more than once. In fact, having multiple measurements for the same control, can provide you with deeper insights as we'll discuss later in the course. Whenever you have multiple measurements, just calculate the mean, or simple average of all the scores for that control. Here's how I did it for two very different organizations using the NIST Cybersecurity Framework. The first was a $2 million nonprofit local agency.
The second was a $1 billion for-profit global enterprise. The nonprofit agency had 25 people working at two operating locations. They hired and outside technology service provider to manage their network routers, servers, e-mail, accounting software, and so forth. And they also used three cloud-based applications. Here's how we measured their information risk. Policy making controls were centralized with the agency executive management team.
Designating cybersecurity roles and responsibilities among staff, for example, was their responsibility. So we only had to score once for that control. The management of identities was a shared responsibility between the agency staff, the IT service provider, and the three software as a service providers. The management team decided when to create user accounts, and when to shut them off. The outside service providers implemented their decisions. So we scored these controls twice. Data backups were performed by the IT service provider, and the three software as a service providers for their respective areas of responsibility.
So we scored these controls four times. Overall, because of its small size, we measured the entire organization and produced a single scorecard. Let's take a look at the for-profit global enterprise. It had 3,000 people, and over 150 operating locations around the world. A single internal IT group managed their network routers, e-mail servers, and related infrastructure. Aside from this small number of centralized IT services, each of the 150 offices was responsible for their own technology.
The company also used many cloud-based infrastructure providers and applications. Here's how we measured their information risk. First, because the central IT organization was relatively small, we treated them as another, separate office. Next, we found that most of the policy-making controls were delegated to the local office management. Designating cybersecurity roles and responsibilities for local staff, for example, was their responsibility. So for this control, we had one score to collect from each office.
A minority of the controls, such as management of identities, was a shared responsibility between the local office staff, the central IT staff, and the cloud service providers. The local management teams decided when to create each user account, and when to shut them off. The central IT team and outside service providers implemented their decisions. But directly measuring the outside service providers was too complex and time consuming to undertake as part of this risk management effort.
So we collected scores only from the inside experts at each office. The majority of the controls were entirely in the hands of the local offices. So we produced a scorecard for each office, over 150 in all.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance