16 January 2015

Management awareness paper on security compliance metrics

Compliance with information security related obligations, privacy laws in particular, was already a major issue for management when this paper was written back in 2007. Over the succeeding years, it has grown even bigger and yet we still often hear people discussing compliance in simplistic, black-and-white or binary terms in the sense of "You either comply or you don't". In reality, compliance is usually a matter of interpreting and weighing-up the evidence concerning the extent to which the obligations have or have not been fulfilled, and their relative importance. Compliance may not be glorious Technicolor but there are definitely shades of grey!

This metrics briefing proposed a few simple measures of the extent and speed of compliance, as well as the costs relating to or arising from compliance.  

In addition to legislation, it mentioned compliance with and enforcement of corporate policies and other requirements (such as good security practices and contractual obligations - PCI-DSS being a classic example).  

We developed further and elaborated on the concept of a 'security compliance status' metric that was introduced in this paper in later briefings. Looking at the paper now, with the benefit of hindsight, it seems rather naive but it served a purpose as a security awareness item for managers.

06 January 2015

Management awareness paper on physical security metrics

In the context of information security, physical security is about protecting tangible assets holding, communicating or processing valuable information - primarily ICT systems and data storage media - from physical incidents such as theft, criminal or accidental damage, loss, sabotage, fire, flood, mechanical breakdown, electrical surges, dips and power cuts, static discharge, magnetic or electrical interference etc. that would damage the information content or the services provided.

Strictly speaking, it includes physical protection for people, workers particularly, since we also constitute physical information assets - well most of us anyway (some are liabilities!).  'Health and safety' is, in a sense, part of information security, along with substantial parts of HR.

This very brief metrics discussion paper, written seven years ago, does not explore the entire scope of physical security but mentions just a few considerations around physical security targets and measurements.  It was not one of our best efforts ... and yet it might just prompt you to think of something worth measuring in your situation.

I promise the quality of this series of papers improves as we head into 2015. Our understanding of metrics improved markedly as we did the thinking and research for the PRAGMATIC book, on top of which we revisited, updated and expanded on the older papers as we completed successive cycles of information security topics. Yes, I know it's "jam tomorrow" but stick with us and enjoy the journey.