“Risk can not be measured,” is a common scientific and mathematical phrase often applied information security. While it’s true some risk measurements are subjective, it is naive to believe the measurements are not reached. The risk is not a number, but a measurement of risk
For example, you can measure :.
* Percentage of vendors meeting standards organization is
* A rate level compliances and
* The number of vulnerabilities present in the environment.
It is important for credit unions to identify, prioritize and manage risk. Management and technical staff must jointly define the criteria for measuring information security performance. And these measurements should clearly align with the goals and methods.
When developing measures, avoiding the technical, legal, and material jargon. Focus on measuring the services rendered. Clearly define the objectives, methods and measurements. This facilitates open communication, prudent planning and financial rewards
This is common excuses for avoiding risk :. “. The Board does not understand”
* Information security includes technical and physical security. Ensure the confidentiality, integrity and availability requires deep insight into technology, risk modeling physical security, laws and regulations. Technical complexity often hinder communication between management and information technology (IT) staff. The challenge for IT staff: Convey complex information simply and clearly. The challenge for management :. Be willing to accept change
* “Security measurements for large credit unions only.” Incorporating information security measurement process organization takes time, persistence, and often cultural change. People often feel threatened, dislikes change or social motivations to slow down the process. But credit unions of all sizes benefit from the measurement of risk. It may take time, but perseverance pays off when tracking support budget requests and provide valuable back-on-investment data.
* “Security moves too fast.” Technology continues to change at an amazing speed. Many believe information security measurement can not keep up with technological change. But the problem actually may be poorly designed measurements. Resolve measurement is to align corporate strategies with it. Clearly defined objectives and goals. Then measure information security as it relates to the goals and objectives.
rational decisions require a simple, measurable, reach, repeatable, and timely (SMART) information. Keep Information Security Risk Tracking:
* Simple. Objective measurements must be clearly understood by all parties intended. Create a list of key performance indicators. Avoid technical, legal, and other jargon. Avoid data overload and stay focused on specific performance measurements.
* measurable. While many aspects of safety and risk is difficult to measure, focus on what can be measured, for example, the number of vulnerabilities or number of occurrences.
* attainable. Some measurements are direct output of existing reports and systems; others require analysis to enter into force. Make sure the measurement goals are to achieve, over time, where they will be constantly evaluated and managed with minimal cost.
* reproducibly. Because you need to show the development to create useful information, make sure that the tracking is easy to take over time and can be repeated.
* Timely. Outdated information skew analysis and direct influence decisions. Timeliness of data often determines its value. Make sure that the tracking is easy to understand as necessary. Aim for maximum automation with minimal manual operation. Set clear communication and access rights at the beginning.
Credit Union can measure information security performance. Risk modeling, financial tracking, key performance indicators, and other measurements can help you align information security with organizational goals and strategies.