O'Reilly logo

PRAGMATIC Security Metrics by W. Krag Brotby, Gary Hinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

431
Appendix H: ISO27k
Maturity Scale Metrics
e tables that follow can be used to assess and score the maturity of an organiza-
tions approach to information security against a broad range of information secu-
rity practices recommended by ISO/IEC 27002:2005.
e assessment criteria make the scoring process more objective and repeat-
able than it would otherwise be. However, the scoring is best conducted by some-
one with an information security or IT audit background who either knows the
organization inside-out or has access to the people who do and preferably both.
Consider one row at a time, determining which of the stated criteria offer the best
fit, and identify the percentage score accordingly, interpolating between the scoring
points where appropriate. Make notes about the scoring, including any evidence,
incidents, situations, or concerns that were particularly influential—you may be
asked to explain or justify particular scores later, and most of us find it difficult to
remember all the scoring decisions without our notes.
Tip: Although this appendix reflects the ISO27k standards, it is not compre-
hensive. e scoring indicators do not incorporate all of the security issues
and controls explicitly recommended by the standard. e tables are provided
as templates or starting points from which you are encouraged to develop
your own customized suite of scoring scales, but bear in mind the trade-offs
between simplicity/complexity, cost, accuracy, speed of use, and utility. Our
primary aim in this book is to help you develop worthwhile information
security metrics, not to conduct a detailed analysis of your organizations
security status.
432 ◾  Appendix H
For summary-level metrics, the scores can then simply be averaged in each sec-
tion and overall for a grand total score. e criteria and the sections may optionally
be weighted first because some controls are more important than others—we leave
this as an exercise for the reader.
e individual ratings for each row in the tables, along with your notes and
perhaps the evidence you gathered, may prove useful for information security pro-
fessionals tasked by management with improving the scores.
As well as using the maturity scale method to score small organizations or indi-
vidual departments and facilities directly, we have used a more detailed version of
the matrix to assess large organizations’ compliance with the ISO27k standards.
e method involves a team of qualified IT auditors assessing, scoring, comparing,
and contrasting business units using common criteria similar to those shown here
plus an accompanying ISO27k audit checklist. It works extremely well and has
proved popular with management.
By the way, please do not assume that 100% is the target or ideal score in every
case or, for that matter, that 0% is necessarily an outright fail. Risk analysis is an
integral part of the ISO27k approach, and your risks (and, hence, the appropri-
ate controls) are not the same as everyone else’s. ese are entirely generic scoring
scales. Some controls might not be appropriate in your organization, and others
might not go far enough.
Tip: If you are blessed with a progressive management, the scores lend them-
selves to the publication of corporate league tables that motivate underper-
forming business units to review their approach to information security and
encourage the transfer of good practices from their better peers. Be aware,
however, that bad scores can generate serious resentment, so be careful if you
take this approach—you might, for example, offer underperforming busi-
ness units a grace period to get their act together before reassessing them and
publishing the numbers.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required