Transcript Slide 1
Mission and Metrics from different views: Firm/Agency, Industry (financial services), and Profession Daguio Vancouver Metricon 1.0 All Programs • Requires clear accountability and objectives, and audience specificity – Risk and Compliance are related but separate domains to be managed and should be reported on keeping this in mind and serve different audiences. Decision-making processes are different for these domains. – Metrics must serve a mission and a master. Different metrics may be of interest to different audiences who have different objectives. – Governance and Accountability objectives usually come first before Availability, Integrity, and Confidentiality according to field experience of several teams interviewed. The first questions we must ask will nearly always be related to governance and objectives: • Who are we? Ours and Others’ Roles and Responsibilities • Why are we here? The Organizational Mission and Our Tasking • What is at risk? Information, Intellectual Property, IT Systems • What are the rules? Policies, Laws, etc. • What are the risks? Threats, Vulnerabilities, Controls • What resources are available? People, Ideas, Technology, Budget, Time, etc. • What is at stake? Is the mission/resource critical to the organization or to us? INFORMATION ASSURANCE • Model shown - Mission Driven Information Assurance – Risk and Security Management in context, not a vacuum – Mission Driven Model - Layers (Daguio 2004) 15 Natural Law (Physical and Moral) Governance 14 Ethics (Evolved and Created) Governance 13 Law (Agreement, Local, State, National, International Law) Governance 12 Policy (Organizational, and Others) Governance 11 Strategy/Plans Mission 10 Value to Users Mission 9 Services to Users Mission 8 Business Process Mission 7 Application Mission/OSI/ISO 6 Presentation OSI/ISO 5 Session OSI/ISO 4 Transport OSI/ISO 3 Network OSI/ISO 2 Datalink OSI/ISO 1 Physical OSI/ISO Firm/Agency • Intended to – – – – Help manage risk and compliance Support decision-making Support actions Support accountability • Starting with Governance and Accountability is critical • Agreed objectives and metrics program related measures are starting point • Maturity models are a good source of management metrics • Interval measures are ok as long as comparisons are not possible Industry/Sector • Financial Services – ABA, FIPA, BITS, etc • Intended to: – Promote trust and confidence – Improve cost effectiveness of programs – Prevent new regulatory measures or spread them to others • Agreed objectives and metrics program related measures are starting point • Baseline and aspirational models are key • Maturity models are a good source of management metrics • Safest to do nominal and ordinal measures only to prevent comparison. Profession • CSO Executive Council is producing tools to provide senior practitioners with tools they can use that can be adapted to their organization’s needs. FIELD EXPERIENCE Metrics program are often the undoing of CSOs since the expectations of C-level executives are often not met. Metrics programs can also negatively impact companies or agencies and industries. Data collected or reported on without context and meaning, or of low quality has caused greater harm than good. Often availability of data and analysis are used against the interests of the security community. Sometimes the primary benefit from these programs came from the discipline and awareness benefits imposed by the measurement and reporting requirements. In other cases the sharing and alignment of objectives that occurred lead to program effectiveness improvements.