Download ppt - Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

Transcript
Page 1: Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

Meta-Metrics:Building a Scorecard for the Evaluation of Security Management and Control Frameworks

Meta-Metrics:Building a Scorecard for the Evaluation of Security Management and Control Frameworks

Michael SmithMetricon 5.0 08/10/2010

Page 2: Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

2

Laws, Sausages, and Frameworks? Top-down: regulation->policy->procedures -

>technical Organic growth: tech->architecture->policy Throw in the kitchen sink, built a checklist,

rinse, repeat Lessons learned: Company X got pwned so

you have to pay for their crimes Years of analysis: extended PhD thesis The Gray-Hair approach, I know better than

you2

Page 3: Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

3

The Part Where Mike Gets Meta

“The nature of all security frameworks is to devolve into a checklist” --Rybolov

All frameworks suck, the one you’re using sucks the worst

Management by inclusion v/s exclusion

Build a rational way to judge frameworks

3

Page 4: Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

4

Framework Scorecard

$$$$$Small, Medium, Large

Organizations

Page 5: Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

5

Framework Scorecard

$$$$$Small, Medium, Large

Organizations

EfficacyTactical/Technical

Patch and Vulnerability

Page 6: Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

6

Framework Scorecard

$$$$$Small, Medium, Large

Organizations

EfficacyTactical/Technical

Patch and Vulnerability

CompletenessSustainable Program

Page 7: Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

7

Framework Scorecard

$$$$$Small, Medium, Large

Organizations

EfficacyTactical/Technical

Patch and Vulnerability

CompletenessSustainable Program

?Robustness?Shelfware-Resistance

Low-MaintenanceAtomicity v/s Dependence

Page 8: Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

8

SWAG Reactions: ISO 27002

$$Reasonably large

Some Guidelines

Reasonably CompleteOK Robust, some audit

burden and rework

Page 9: Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

9

SWAG Reactions: PCI-DSS

Relatively Small Mostly Tactical

Bollocks for SustainableHas “Policy”

Robustness as a function of small size

Page 10: Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

10

SWAG Reactions: NIST RMF

Much CostPrescribed but not the

focus due to abstraction

The Whole Hawg of Completeness

Horribly fragile, this adds significantly to the cost

Page 11: Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

11

Uses

Conscious design of security, compliance, regulation, risk, etc frameworks

Prioritization of effort Split-horizon assessment/audit Maturity models Ending “Legislation Amateur Hour”

11

Page 12: Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

12

OMG What Have I done?

Have I built a better GRC and should I be hanged from the neck until I am dead?

Is an abstract of an abstract leading to a divide-by-zero error that will end the world?

Have I lost my bloody mind?

12

Page 13: Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks

16

Questions, Comments, or War Stories?http://www.guerilla-ciso.com/

rybolov(a)ryzhe.ath.cx

http://www.guerilla-ciso.com/

Recommended

Sustainability Assessment Frameworks, Evaluation Tools and Metrics for Buildings and its
Sustainability Assessment Frameworks, Evaluation Tools and Metrics for Buildings and its Documents
Populating a Data Quality Scorecard with Relevant Metrics (Whitepaper)
Populating a Data Quality Scorecard with Relevant Metrics (Whitepaper) Documents
Balanced scorecard metrics and specific supply chain roles · Balanced scorecard metrics and specific supply chain roles 1. Introduction An Agri-food supply chain (ASC) is a network
Balanced scorecard metrics and specific supply chain roles · Balanced scorecard metrics and specific supply chain roles 1. Introduction An Agri-food supply chain (ASC) is a network Documents
Annual Report 2016 - Theatre Ontario · Theatre Ontario Annual Report for 2016 7 ORGANIZATIONAL SCORECARD 2016 The Organizational Scorecard shows metrics on the outputs of Theatre
Annual Report 2016 - Theatre Ontario · Theatre Ontario Annual Report for 2016 7 ORGANIZATIONAL SCORECARD 2016 The Organizational Scorecard shows metrics on the outputs of Theatre Documents
Metrics and Scorecards - ge.com€¦ · Delete a Scorecard 22 Chapter 4: Manage Key Performance Indicators (KPIs) 24 Overview of Key Performance Indicators (KPIs) 25 ii Metrics and
Metrics and Scorecards - ge.com€¦ · Delete a Scorecard 22 Chapter 4: Manage Key Performance Indicators (KPIs) 24 Overview of Key Performance Indicators (KPIs) 25 ii Metrics and Documents
PERFORMANCE METRICS AND SCORECARD FINAL REPORT INTRODUCTION · Defense Reform Initiative Performance Metrics and Scorecard • Reform in the Department of Defense – Cold War’s
PERFORMANCE METRICS AND SCORECARD FINAL REPORT INTRODUCTION · Defense Reform Initiative Performance Metrics and Scorecard • Reform in the Department of Defense – Cold War’s Documents
Supply Chain Management Measurement & Metrics Sustainability Balanced Scorecard Mauricio Cavalieri Carreiro
Supply Chain Management Measurement & Metrics Sustainability Balanced Scorecard Mauricio Cavalieri Carreiro Documents
A Comparison of IT Governance & Control Frameworks in ...€¦ · Integrating Cloud IT Governance Models and Frameworks: Internal Threats Horizontal Audit Compliance Performance Metrics
A Comparison of IT Governance & Control Frameworks in ...€¦ · Integrating Cloud IT Governance Models and Frameworks: Internal Threats Horizontal Audit Compliance Performance Metrics Documents
Actionable Metrics for Continuous Improvement: …uknowledgeshare.com/wp-content/uploads/Actionable_Metrics_for...Actionable Metrics for Continuous Improvement: Balanced Scorecard
Actionable Metrics for Continuous Improvement: …uknowledgeshare.com/wp-content/uploads/Actionable_Metrics_for...Actionable Metrics for Continuous Improvement: Balanced Scorecard Documents
CDO SCORECARD - Business Applications and Technology · Top 100 industry segment Average ... projects, technology landscapes, ... Description of CDO Scorecard Metrics New Digital
CDO SCORECARD - Business Applications and Technology · Top 100 industry segment Average ... projects, technology landscapes, ... Description of CDO Scorecard Metrics New Digital Documents
Strategic Captive Opportunity and Utilization Technique ...€¦ · Captures underlying strategic and tactical considerations via defined KPI metrics (“Scorecard”) – Utilizes
Strategic Captive Opportunity and Utilization Technique ...€¦ · Captures underlying strategic and tactical considerations via defined KPI metrics (“Scorecard”) – Utilizes Documents
Defining and Evaluating Success: Metrics and Metric Frameworks for Information Architects
Defining and Evaluating Success: Metrics and Metric Frameworks for Information Architects Self Improvement
The 2018 Climate Accountability Scorecard · In creating The Climate Accountability Scorecard, originally published in 2016, the Union of Concerned Scientists (UCS) developed metrics
The 2018 Climate Accountability Scorecard · In creating The Climate Accountability Scorecard, originally published in 2016, the Union of Concerned Scientists (UCS) developed metrics Documents
Metrics, A Top-Down Balanced Scorecard Approach
Metrics, A Top-Down Balanced Scorecard Approach Documents
outline-2019 Company- IP Performance Scorecard Model-p1 · 2019. 2. 6. · 2019 IP Program Performance Metrics Benchmark Scorecard For more information contact us at (630) 216 9673
outline-2019 Company- IP Performance Scorecard Model-p1 · 2019. 2. 6. · 2019 IP Program Performance Metrics Benchmark Scorecard For more information contact us at (630) 216 9673 Documents
World-Class Performance Scorecard · World-Class Performance Scorecard Customer-Focused Innovation ... Regular monitoring and review of company-specific metrics by CEO and senior
World-Class Performance Scorecard · World-Class Performance Scorecard Customer-Focused Innovation ... Regular monitoring and review of company-specific metrics by CEO and senior Documents
Strategy Map and Scorecard 2017 2020 · 04/11/2016  · Strategy Map and Scorecard ... ophthalmological organization in key social media metrics. (4) • At least 5 major
Strategy Map and Scorecard 2017 2020 · 04/11/2016  · Strategy Map and Scorecard ... ophthalmological organization in key social media metrics. (4) • At least 5 major Documents
Update Department of Education Scorecard for Goal 1boe.hawaii.gov/Meetings/Notices/Documents/2015-09-01 SAC... · 01.09.2015  · Goal 1 Scorecard Metrics HAWAII STATE DEPARTMENT
Update Department of Education Scorecard for Goal 1boe.hawaii.gov/Meetings/Notices/Documents/2015-09-01 SAC... · 01.09.2015  · Goal 1 Scorecard Metrics HAWAII STATE DEPARTMENT Documents