How Security Metrics Deliver Business Value & Compliance

Wednesday, September 20, 2017

Metrics are tangible values that quantify progress towards a goal. An analytic system combines metrics from numerous sources to assist CISOs and their peers to understand trends and patterns.

Metrics play a key role in a larger analytics system. As integral as cybersecurity is to business operations, IT, legal, risk, and compliance, adding cybersecurity metrics to the business’s analytic system will reduce cost, increase efficiency, provide actionable goals for managers, create tangible goals for senior leadership, and enable key performance indicators for boards.

The Fidelis Elevate ADR Platform and Fidelis services are used by many organizations to create and update their organizational security programs aligned to a specific set of standards. While each of these standards originated for different reasons, their motivations are centered on the security of IT infrastructures. Examples of security standards include Critical Security Controls, NIST 800-53, ISO 27002, and NIST 800-171, FISMA, COBIT 5, PCI DSS 3.0, and HIPAA. Consequently, all of these standards have similar and overlapping requirements.

At Fidelis, our Cybersecurity Experts understand not only each of these standards individually, but how they cross correlate between one another.

Using Metrics in compliance is also important.

  • PCI DSS stated “Organizations should quantify their ability to sustain security practices and PCI DSS compliance by developing a set of metrics that summarize the performance of their security controls and security program.”
    Reference: Best Practices for Maintaining PCI DSS Compliance (v3.0) https://www.pcisecuritystandards.org/documents/PCI_DSS_V3.0_Best_Practices_for_Maintaining_PCI_DSS_Compliance.pdf
  • ISO 17799 establishes best practices.  Metrics are an integral part of measuring the effectiveness and efficiency of information security management.  This measurement feeds a strategic business plan and business operations.  To connect security, strategy, and operations, the cybersecurity metrics need to be part of an analytic program.
    Reference: ISO 17799:2005 Code of practice for information security management https://www.iso.org/standard/39612.html
  • ISO 27001 establishes standards.  In developing an Information Security Management System (ISMS), an organization must quantify security risks, which require metrics.  Just as with ISO 17799, quantifying security risk should take into account strategic business planning and operations, and thus the metrics need to be part of a larger analytic program.
    Reference: ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements (second edition)
  • COBIT 5 for Information Security leverages the methods established in the COBIT framework and provides more detailed and more practical guidance to information security professionals with the goal of effectively governing and managing information security.
    Reference: COBIT 5 for Information Security http://www.isaca.org/COBIT/Documents/COBIT-5-for-Information-Security-Introduction.pdf
  • Metrics will assist with HIPAA compliance with implementing security measures for protecting EPHI and managing the conduct of the workforce in protecting EPHI.
    Reference: HIPAA Security Series 4 Security Standards: Technical Safeguards https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf