Module 3 looks at the information security strategy. We're going to look at things like metrics, the strategy overview and objectives, what the current state of information security is and the development process for that security strategy. Metrics, which we use to look at and measure the security strategy are really how do we quantify those things? We look at metrics for effective security and governance implementation and the six key areas, strategic alignment, risk management, value delivery, resource management, performance measurement and process integration assurance. When we talk about metrics they have to be smart metrics. They have to be specific, measurable, attainable, relevant, timely. There are a number of standards that are out there that can be used to identify metrics. ISO 27004, COBIT 5, even the Center for Internet Security in their document, the CIS security metrics. Even this test one that will help us which is NIST SP 800-55. When we're looking at effective metrics set first category we're looking at things like, what is the value of the asset at risk? What's our annualized loss expectancy and our return on security investment? As well as we look at what is the impact if that event should occur and what's the likelihood that, that's going to occur? Vector metrics really are comprised of from the bottom, strong management support, followed by strong information security policies and procedures. On top of that, we lay quantifiable metrics, quantifiable performance measures and then when we look at it from a results oriented measures analysis point of view. To do governance implementation metrics, we look at things like key goal indicators, key performance indicators and a key risk indicators. Where I'm I going? Go. I'm I getting there? Performance and what's keeping me from achieving that goal or the key risk indicators? What's essential to the strategic alignment metric is really to see how well we're enabled in aligning with the business or is security a business enabler? Is security responsive to changing business needs? Has that security been validated by senior management with some oversight provided by the steering committee? The risk management metrics includes a lot of things like, are we maintaining risk at an acceptable level? It requires that we define what the expectations and objectives are, as well as what the organization's capacity, appetite and tolerance for risk are. The key, of course, is to reduce the adverse impact down to a level that's acceptable to manage it. In order to do that, we have to look to see how many of the business impact analysis we have completed, how many risk assessments have we completed, and how many of our contingency plans have been completed and tested. Value delivery metrics. Is the organization getting value out of their risk control investment? In other words, is there investment optimization and is that supported that control implementation? Supported by convincing business case with the idea of reducing risk and the risk posture down to a level that is acceptable to the organization. Resource management metrics looks at how we're using our resources. Are we effective and efficient in the planning and the use of those resources? For example, do we have problems that reoccur? Are our stuff being productive? What is the per seat cost for security services? For example, what's the cost for testing a data packet coming into our network? When we do performance measurement metrics we look at things like, what are we going to measure? How are we going to monitor it? What are we going to report? Things like, how long does it take to detect an incident? What are other organizations achieving in terms of results for incident detection time? We look at things like, what are the results for testing of our contingency plan? Was the test successful or did the test fail? From an assurance process integration point of view we want to make sure that there are no gaps in our information security. We want to make sure that there isn't any overlap of controls and that it is seamlessly integrated into the business process. We want to make sure that all of the security roles are very clearly defined and everyone knows what their responsibilities are and that we have effective communication in place.
