It follows from the foregoing definitions that a key performance indicator is an indicator that is particularly significant in showing the performance of an ISMS. KPIs are carefully chosen from among a larger pool of indicators to show at a high level whether our ISMS is keeping pace with the threats to our organization or showing decreased effectiveness . KPIs should be easily understood by business and technical personnel alike and should be aligned with one or (better yet) multiple organizational goals.
The process by which we choose KPIs is really driven by organizational goal. In an ideal case, the senior leadership sets (or perhaps approves) goals for the security of the organization. The ISMS team then gets to work on how to show whether we are moving toward or away from those goals. The process can be summarized as follows.
1. Choose the factors that can show the state of our security.In doing this, we want to strike a balance between the number of data sources and the resources required to capture all their data.
2. Define baselines for some or all of the factors under consideration. As we do this it is helpful to consider which measurements will be compared to each other and which to some baseline. Keep in mind that a given baseline may apply multiple factors' measurements to
3. Develop a plan for periodically capturing the values of these factors, and fix the sampling period. Ideally, we use automated means of gathering this data so as to ensure the periodicity and consistency of the process.
4. Analyze and interpret the data. While some analysis be automated, there will be situations that require human involvement. In some cases, we'll be able to take the data at face value, while in others we will have to dig into it and get more information before reaching a conclusion about it.
5. Communicate the indicators to all stakeholders. In the end, we need to can (and probably should) the findings ina way that is understandable by a broad range of stakeholders. A common approach is to start with a nontechnical summary that is supported by increasingly detailed layers of supporting technical information. On the summary package side of this continuum is where we select and put our KPIs.
Information Security Metrics
NIST 800-55r1 Performance Measurement Guidefor Information Security
| Field | Data |
Measure ID
(衡量項目) | State the unique identifier used for measure tracking and sorting. The unique identifier can be from an organization-specific naming convention or can directly reference another source.
為達成組織訂定之資訊安全目標而採行的管理架構(如ISO27001),須完成多種領域的控管,透過管理面或技術面的方式確保組織之資訊安全,決定哪些項目須量測藉此掌握資訊安全管理的效能與有效性。
*衡量項目 可參考ISO27001 控制措施、ISO27004 資訊安全監控量測分析、NIST SP 800-55r1 資訊安全效能監控與量測 |
Goal
(衡量目標) | Statement of strategic goal and/or information security goal. For system-level security control measures, the goal would guide security control implementation for that information system. For program-level measures, both strategic goals and information security goals can be included. For example, information security goals can be derived from enterprise-level goals in support of the organization’s mission. These goals are usually articulated in strategic and performance plans. When possible, include both the enterprise-level goal and the specific information security goal extracted from agency documentation, or identify an information security program goal that would contribute to the accomplishment of the selected strategic goal
從組織的策略目標延伸到資訊安全的目標
(e.g.策略目標:確保組織具有高效能、安全的基礎架構、與良好的維運能力;資安目標:確保組織的員工有充分的訓練可完成被授予資訊安全相關的權責 |
Measure
(量測之量化) | Statement of measurement. Use a numeric statement that begins with the word “percentage,” “number,” “frequency,” “average,” or a similar term. If applicable, list the NIST SP 800-53 security control(s) being measured. Security controls that provide supporting data should be stated in Implementation Evidence. If the measure is applicable to a specific FIPS 199 impact level (high, moderate, or low), state this level within the measure.
使用可衡量之數值,e.g.百分比、數值、次數、平均值等。 |
Type
(效能/可用性/影響性) | Statement of whether the measure is implementation, effectiveness/efficiency, or impact.
效率(高中低),可用性(百分比)、影響性(高中低) |
Formula
(計算公式) | Calculation to be performed that results in a numeric expression of a measure. The information gathered through listing implementation evidence serves as an input into the formula for calculating the measure. |
Target
(目標值/臨界值) | Threshold for a satisfactory rating for the measure, such as milestone completion or a statistical measure. Target can be expressed in percentages, time, dollars, or other appropriate units of measure. Target may be tied to a required completion time frame. Select final and interim target to enable tracking of progress toward stated goal. |
Implementation
Evidence
(蒐集證據或紀錄 | Implementation evidence is used to compute the measure, validate that the activity is performed, and identify probable causes of unsatisfactory results for a specific measure.
*For manual data collection, identify questions and data elements that would provide the data inputs necessary to calculate the measure’s formula, qualify the measure for acceptance, and validate provided information.
*For each question or query, state the security control number from NIST SP 800-53 that provides information, if applicable.
*If the measure is applicable to a specific FIPS 199 impact level, questions should state the impact level.
*For automated data collection, identify data elements that would be required for the formula, qualify the measure for acceptance, and validate the information provided. |
Frequency
(衡量之頻率) | Indication of how often the data is collected and analyzed, and how often the data is reported. Select the frequency of data collection based on a rate of change in a particular security control that is being evaluated. Select the frequency of data reporting based on external reporting requirements and internal customer preferences. |
Responsible Parties
(量測者權責) | Indicate the following key stakeholders:
*Information Owner: Identify organizational component and individual who owns required pieces of information;
*Information Collector: Identify the organizational component and individual responsible for collecting the data. (Note: If possible, Information Collector should be a different individual or even a representative of a different organizational unit than the Information Owner, to avoid the possibility of conflict of interest and ensure
separation of duties. Smaller organizations will need to determine whether it is feasible to separate these two responsibilities.); and
*Information Customer: Identify the organizational component and individual who will receive the data. |
Data Source
(資料來源) | Location of the data to be used in calculating the measure. Include databases, tracking
tools, organizations, or specific roles within organizations that can provide required
information. |
Reporting Format
(報告之格式) | Indication of how the measure will be reported, such as a pie chart, line chart, bar graph,
or other format. State the type of format or provide a sample. |
KPI base on ISO 27001 Controls
Category
(ISO27001) | Control(控制措施) | Factor(選擇安全狀態因素)
(P= Performance、R=Risk) | Measurement(量測方式) | Baseline | Metric | Indicator |
| A5政策管理 | 5.1.1資訊安全政策(公布及傳達) | 政策審視、公布與傳達 | 定期檢視政策之適用性
政策宣達應至相關利害關係人 | 至少1/Y
不定期 | 文件 | 1/Y |
| A6資訊安全組織 | 6.2.1行動裝置政策
6.2.2遠距工作 | 手機,NB,PAD使用安全原則 | 基於偵測結果,定期檢視政策之適用性 | | 文件 | 1/Y |
| A7人力資源安全 | 7.2.2資訊安全認知,教育及訓練 | 依據不同職能要求達到其專業性一般人員
系統開發人員
通訊網路基礎維護人員
資安技術人員 | 資安認知與專業教育訓練
相關職能專業證照(依組織環境選擇) | 受訓人數%
證照數量 | 文件 | 95%↑ |
| A8資產管理 | 8.3.1可移除式媒體之管理 | 隨身碟,USB的安全原則 | 因媒體導致導致電腦中毒
未授權的裝置存取資料 | 次數 | Log | 1/M |
| A9存取控制 | 9.1.2對網路及網路服務之存取
9.4.1資訊存取限制
9.4.5對程式源碼之存取控制 | 網路入侵偵測
核心系統登入監測
機敏資料異動紀錄
網路頻寬使用監控 | 防火牆入侵紀錄,IDS入侵紀錄,帳號登入異常(錯誤登入)
網路頻款使用率 | 異常次數
異常%
MRTG | Log | 1/M |
沒有留言:
張貼留言