One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 1495738 |
| Date de publication | 2019-12-12 08:00:11 (vue: 2020-01-03 15:00:04) |
| Titre | NBlog Dec 12 - a universal KPI |
| Texte |  For January's security awareness module on ISO27k, I'm developing a detailed checklist with which to assess, evaluate and score each of the information security controls recommended by ISO/IEC 27002 (as summarized in Annex A of ISO/IEC 27001)*.The checklist/scoring format is one I invented years ago and have been using and refining ever since. It is a kind of maturity metric that has proven very valuable in practice, giving surprisingly consistent and useful results despite the subjective nature of the checks.I am laying out 4 'indicators' for each control from '27002, specifying the kinds of things that would typically correspond to scores of 0% (exceptionally weak or missing controls) through 33% and 67% to 100% (exceptionally strong or cutting-edge controls). The 50% centre point on the scale divides 'inadequate' from 'adequate' controls, although that only really applies in the context of a mythical generic mid-sized organization with minimal information risks and hence security requirements. For many commercial organizations, 60% may be a more appropriate target, varying between organizations and controls - e.g. a financial services organization is likely to have more substantial information risks and hence needs stronger controls to ensure confidentiality, integrity and availability of information, than a typical manufacturing or retail business; an engineering design firm may value data integrity above all else, given the health and safety implications and liabilities if its output is inaccurate. Looking back over the draft checklist, I've noticed that the scores for most controls correlate with 'assurance' activities. At the top end, 100% scores often involve strong assurance measures such as thorough, independent audits by competent auditors. At the bottom end, assurance measures are conspicuously absent: if it's not painfully obvious already, even a cursory check would no doubt reveal that the controls are either completely absent or totally inadequate, but checking simply isn't performed at the 0% level - in fact, it probably doesn't even occur to those involved. In the middle ground, assurance activities either drive systematic improvements where necessary, or increase confidence that the controls in place are sufficient - fit for purpose, of decent quality, doing a good job.Therefore, assurance appears to be a universal KP |
| Envoyé | Oui |
| Condensat | assurance in looking 100 22301 27001 27002 ;formalization above absent absent: according achieve across act activities adapted adequate again ago all almost already also although analysis annex any appears applicable applied applies approach appropriate arching are arising;spreading as:oversight assess associated assurance auditors audits availability aware awareness back becoming been being beneficial benefits better between blank both bottom broad business business; but centre challenging check checking checklist checklist/scoring checks clearly cloud cobit coherent commercial competent completed completely compliance conceptual confidence confidentiality considered consistent conspicuously context continuity control controlled;generating controls coordinated correlate correspond credible csf cursory cutting data dec decent deeper defined demonstrate design designing/selecting despite detailed developing digging discussion divides doesn doing done doubt draft drive drives each easier edge effective either else end enforcement engineering enough ensure equivalent especially evaluate evaluating even ever evidence example exceptionally experienced external fact fashion;information financial find firm fit focusing format framework from generating generic get given giving good governed ground guidance guide guidelines guiding hands has have health hence higher highly implementing implications implies importance important improve improvement improvements inaccurate inadequate incident include:checking including incorporating increase independent indicator indicators industries information insight integrity internal invented investigation involve involved involving isn iso iso/iec iso27k its january job junior key kind kinds kpi kpis laying level liabilities like likely making managed management manufacturing many maturity may measure measures measuring metric metrics mid middle might minimal missing module monitoring more most motivational much mythical nature nblog necessary need needs nist not noticed obvious occur occurs often one only operated organization organizations other otherwise out output over owners painfully pathetic people performance performed performing place plane please point policies possible practice practices proactively probably procedures prove proven purpose quality quicker quo;hopefully range rather really recommended red refining reinforcement relevant required requirements result results retail reveal right right;investigating risk risks rules safety scale score scores scoring section security seeks sensible sensibly services sheer sheet simply since situations sized soundly sp800 specifying stakeholders standards start status strong stronger structured stuff subjective substantial such sufficient suggestions suite summarized supplement/extend surprisingly systematic tape;compliance target tends than therefore things thorough those through top totally touch training trust typical typically universal use useful using valuable value varying very watching way weak well;measurement where which within worth would years you |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.