Though each company has its own method to implement a security metrics program for enhancing its security systems, the seven step model for designing and using security metrics is the most famous. The model is outlined in the following paragraphs.
The first step is to define the objectives of the information security metrics. Obviously, though the ultimate goal of an information security metrics program would be to enhance the current security system, you need to be more specific in what you intend to achieve because the security system is dependent on a number of processes that work collectively to offer you maximum information safety. An example objective can be deriving the possible vulnerabilities in the system so that the security system analysts can work on the issues to fix them.
The second step is to generate strategies than create information security metrics for implementation. These strategies are the methods by which the security analysts collect data and measure the effectiveness of the current security system. This includes both the current strength as well as the risks associated with the implementation of the current security program.
Based on frequent collection of data, the information security is worked upon to increase the strength while reducing the risks involved in the current security system. Several elements aid the generation of information security metric’s strategy development. These include firewall logs, user feedbacks, help desk logs, and system logs.
The third step is the most difficult one as it affects how you use the information security metrics. In the step, you check out what all security metrics to use. If you feel that a new security metric has to be created, you need to focus on the issue too. As explained already, the information security metrics are the results displayed by comparing the results of two or more random tests of the existing security program at different stages of its development and implementation. Hence, you need to be careful while selecting and using the security metrics that offered more security. In other words, you need to identify the processes that offer more information security by employing the data offered by information security metrics so that the system programmers can further strengthen the processes.
The fourth step involves comparing the data protection efficiency of the current security program with the processes of other companies to establish benchmarks. This data makes the information security metrics even more effective. Based on the inclusion of other companies’ security systems’ data, the information security metrics can be further refined to enhance the current security program. Remember that when we are speaking about enhancing any security program, it does not cover overall protection at the same time. It is a step by step method, whereby the information security metrics for different processes forming the entire security program are consulted. Based on this, each process is refined to achieve a more effective security system for protection of users’ data.
In the fifth step, the format and audience of information security metrics is decided. The best way is to represent the security metrics is the graphic format so that the security managers as well as the company managers can understand the information security metrics easily. The audience is selected based on the question of permission for modifications. While in some companies, the security analysts can take the decisions themselves, others require even the stake holders to approve any change in the security systems. Whatever decision is taken, it should be smart enough to get more inputs for the enhancement of the current security system.
The sixth step involves creating an action plan. The action plan is created based on the data obtained by the information security metrics and on the inputs gathered by the audience to whom the metrics were presented. This is the stage where the security analysts may face resistance. There may be some people who will strongly reject any changes to the current security system as they believe that the security system is smart enough to tackle all the risks. However, no matter how strong a security system is, it needs to be updated constantly as the malicious users of the Internet are always active to break into your servers. Hence, the security systems too, should be kept under constant improvement so that they are able to tackle any risks or vulnerabilities. This is where information security metrics comes in.
The final step is to create a program that frequently reviews the security programs. As explained in the introduction, this involves frequent measurements of the efficiency of the security system. These measurements again come from the different logs and feedbacks from the users of the security products or systems. Based on these measurements, information security metrics are derived and used for constant improvement of the security program.
The next page contains the summary of the article while offering you with sources of the article information and further readings on information security metrics.