New group plans security metrics
The organization is the latest to take a stab at creating the standard
Computerworld - The need for tools to help IT managers assess the effectiveness of their security investments has fueled another industry effort to develop performance measurement metrics.
The latest group to take a stab at creating such metrics is a new entity called the Security Compliance Council. The council last week announced plans to create standard measures to assess and benchmark information security performance.
IT managers said such tools can be effective, but they listed several challenges facing the new organization.
Robert Garigue, chief information security officer at the Bank of Montreal in Toronto, said the effort's chances for success will depend largely on how it builds on existing security frameworks and processes.
The bank, for example, bases a lot of its security processes on frameworks such as Carnegie Mellon University's Capability Maturity Model and the best practices contained in the Information Technology Infrastructure Library, he said.
"Over a period of time, there have been a series of processes that everyone agrees are good, such as patch management, antivirus and intrusion-detection systems," Garigue said. "What is not available is a way to integrate them into a governance framework that says, 'Here's a list of the processes that need to be implemented, and here's how well you're doing with them.'"
To be successful, the new effort must be "additive and not just a substitute" to the metrics already available, he added.
The founding members of the organization are Houston-based security vendor BindView Corp., the Computer Security Institute in San Francisco and The Institute of Internal Auditors (IIA), a 100,000-member association in Altamonte Springs, Fla.
The group's mission is to develop research- and survey-based IT security guidelines to help companies figure out what they need to do and how they are faring, said David Richards, president of the IIA.
Kim Milford, information security manager at the University of Rochester in New York said she welcomes the effort but added that its success will depend largely on the quality of the information used by the group.
For instance, she pointed out, people are reluctant to share detailed security information, and there are wide variations in the way companies implement and manage security technologies and measure incidents. Thus it can be hard to draw consistent data from different organizations, she said.
In addition, adopting someone else's definition of best practices may not always be the right solution for a company, said Christofer Hoff, director of enterprise security services at Western Corporate Federal Credit Union in San Dimas, Calif.
"It may be a cynic's view, but my reality shows that if you do what is right for your company, which does not necessarily mean adopting someone's definition of best practices, then regulatory compliance may be a natural byproduct," he said.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts