One of the key changes of iso 27001 – 2013 is the introduction of security performance framework in the management requirements. This is necessitated by the following ISO 27001 2013 Clauses

5.2 – Policy

Clause 6.2 – Information security objectives and planning to achieve them, and

Clause 9.2 – Monitoring, measurement, analysis, and evaluation

Here is how this can be achieved:

With limited time in your hand, even if you spend 30 minutes in a month, you can review the performance of security using the following key issues.

Irrespective of whether you are compliant to an international best practice such as ISO 27001 or not, these points will drive teams to be ahead in their security performance.

  1. New asset additions – Addition of new assets pose new challenges for security. Asset can be any new information, new intellectual property, new applications, new technology or physical infrastructure, and even a new service provider. Questioning new asset results in verifying whether adequate controls are in place to protect them.
  2. New risks identified – This follows the new asset additions, but new risks may be a result of other external factors beyond the scope of assets. New risks can be as a result of changes in business strategy, customer requirements, operating environments, legal requirements, hazards and/or financial changes – each of which may have an impact on the risk management. New risks are those that do not have a mitigation plan yet, but information about the risk is relevant for management for risk decisions.
  3. New controls added – this can be a result of recent decision to address a new risk. This can be a new technical, physical, procedural or personnel control. Note that a new control always is perceived negatively as it may be seen as an operations hindrance. So question how successful are these new controls and there implementations.
  4. Attack information – updates from log analysis especially gateway protection devices such as spoofing attacks, unauthorized access attempts to key applications, numbers of servers remaining un-patched despite a ‘critical’ patch release, number of theft attempts captured in CCTV – are some of attack information that helps management keeps track of number of break-in attempts. Consider both attacks within and outside the organization including physical area, industry sector as relevant. Sometimes this is just a trend information as you may not be able to prevent, but will be able to verify whether your Business Continuity Plan can handle such events in they really turn into incidents for you.
  5. Number of new vulnerabilities in the wild relevant to our infrastructure – Availability of independent vulnerability sources such as computer emergency response team (CERT) as well as original equipment manufacturer (OEM) reported vulnerabilities – provides huge information, therefore it is important to pick out vulnerabilities relevant to organizations’ own infrastructure. Having identified the relevant vulnerability and how you are tracking to closure would be of interest to management.
  6. Number of people trained in security – this may be both as part of the joining formalities and technical expertise. This is an indicator of how many are being made of organizations’ policies and gives confidence as to how many are left, if any. Training should also include technical skills as well as restoration skills.
  7. Number of reported vulnerabilities within the organization – this is an important indicator of how people participated in the security process and they are reporting incidents/weaknesses. Note that more people report an incident, more aware is your organization.
  8. Metric performance – if you are compliant to an international standard (such as ISO 27001) you are also required to receive performance of security metrics as part of regular reporting. Unlike previous points, in metrics the management has set a target for performance for a security process. Deviations from the target are a subject of root cause analysis (RCA) and should be investigated as part of the compliance process.

If you are not getting these reports start asking, after all this a management driven system. Your oversight will drive security compliance to a newer level.

Hope this helps!

Author : Probal C