New group plans security metrics
The organization is the latest to take a stab at creating the standard
Computerworld - The need for tools to help IT managers assess the effectiveness of their security investments has fueled another industry effort to develop performance measurement metrics.
The latest group to take a stab at creating such metrics is a new entity called the Security Compliance Council. The council last week announced plans to create standard measures to assess and benchmark information security performance.
IT managers said such tools can be effective, but they listed several challenges facing the new organization.
Robert Garigue, chief information security officer at the Bank of Montreal in Toronto, said the effort's chances for success will depend largely on how it builds on existing security frameworks and processes.
The bank, for example, bases a lot of its security processes on frameworks such as Carnegie Mellon University's Capability Maturity Model and the best practices contained in the Information Technology Infrastructure Library, he said.
"Over a period of time, there have been a series of processes that everyone agrees are good, such as patch management, antivirus and intrusion-detection systems," Garigue said. "What is not available is a way to integrate them into a governance framework that says, 'Here's a list of the processes that need to be implemented, and here's how well you're doing with them.'"
To be successful, the new effort must be "additive and not just a substitute" to the metrics already available, he added.
The founding members of the organization are Houston-based security vendor BindView Corp., the Computer Security Institute in San Francisco and The Institute of Internal Auditors (IIA), a 100,000-member association in Altamonte Springs, Fla.
The group's mission is to develop research- and survey-based IT security guidelines to help companies figure out what they need to do and how they are faring, said David Richards, president of the IIA.
Kim Milford, information security manager at the University of Rochester in New York said she welcomes the effort but added that its success will depend largely on the quality of the information used by the group.
For instance, she pointed out, people are reluctant to share detailed security information, and there are wide variations in the way companies implement and manage security technologies and measure incidents. Thus it can be hard to draw consistent data from different organizations, she said.
In addition, adopting someone else's definition of best practices may not always be the right solution for a company, said Christofer Hoff, director of enterprise security services at Western Corporate Federal Credit Union in San Dimas, Calif.
"It may be a cynic's view, but my reality shows that if you do what is right for your company, which does not necessarily mean adopting someone's definition of best practices, then regulatory compliance may be a natural byproduct," he said.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts