Planteamientos alternativos sobre el espacio. Las doctrinas keynesianas

re-sponsibility as well as a means of monitoring, and metrics must be developed to provide that assurance.

5.1.1 Strategic Direction

Since the fundamental purpose of information security is the protection of the orga-nization and providing a reasonably predictable base for operations, its activities and goals must be aligned with the organization’s long-term objectives if it is to provide value.

Strategic objectives may be formally documented and readily available or more obscure and only known to constituent business and operational units. Whatever the case, this information is needed to develop functional goals for an information secu-rity program, which in turn will frame the requirements for information secusecu-rity governance. Since, fundamentally, governance is the structure and system of rules for governing, it is essential that it be clear what it is designed to accomplish.

A typical example could be a bank with the long-term strategic objectives of eliminating most physical branches and converting the majority of its activities to online, internet-based operations. Clearly, the security requirements will change dramatically as this evolution occurs. Entirely new threats must be assessed, levels of acceptable risks must be determined, systems and requirements developed, and so forth. It would obviously be negligent to consider this business approach without an evaluation of risks, impacts, and mitigation approaches, as well as defining what the structure and rules of operation will be for the initiative. The objectives must be defined for the systems to be designed and security aligned.

5.1.2 Ensuring that Objectives are Achieved

Once objectives are defined and the strategic direction is set, ensuring that those ob-jectives are achieved will require defining a strategy (Chapter 6) for implementa-tion, milestones, and monitoring and metrics for governance feedback.

What metrics will provide the information needed for ensuring that objectives are achieved? First, there will be different phases in any initiative and there will be

different information needed during those phases. A useful approach to considering the various phases is the system-development life-cycle method (SDLC). Depend-ing on the source, there are some variations in the details of the SDLC approach but, generally, they are similar to the following:

앫 Feasibility 앫 Requirements

앫 Architecture and design 앫 Proof of concept 앫 Development 앫 Deployment 앫 Maintenance

앫 End-of-life decommissioning

Considering each of these steps, we can determine the types of strategic deci-sions that must be made and the information needed to make them, which, in turn, will define the metrics needed. At this level, many of the metrics will be roll-ups or synopses of various assessments and studies to determine whether an initiative is on time, will have the desired effects, requires additional resources, and so on. Gener-ally, the information needed will be along the following lines:

앫 Risks—requires a risk assessment and analysis

앫 Effectiveness of measures to mitigate risk—assessment of control objectives and controls

앫 Value/benefits—requires studies of markets, competitions, and trends 앫 Impact of failure—business impact assessment from compromise or failure 앫 Total cost of ownership (TCO)—includes acquisition, deployment,

mainte-nance, training, impact on productivity, and so on

앫 Return on investment—financial metrics such as IRR, NPV, and ROI

5.1.3. Risks Managed Appropriately

For risks to be managed appropriately will, of course, mean that what is “appropri-ate” is determined by senior management. It will also, by inference, mean at what cost. But unless it is determined what that means rather precisely, it will not be pos-sible to manage it in any measurable way. Generally, the reference is to “risk toler-ance” but that is still nebulous and must be defined to provide a point of reference.

One approach is to arrive at a management decision as to what monetary loss amount constitutes an “acceptable risk.” If, for example, management determines that any single risk that cannot cause more than a $10,000 loss with a probable fre-quency (with a 95% certainty) of XX% or less annually is not worth the time and effort to mitigate, then there is a point of reference that can guide risk management efforts. Of course, assessment and analysis will be complex and arduous to make

those determinations and will include risk and business-impact assessments and analysis as well as annual loss expectancy (ALE), return on security investment (ROSI), and, possibly, value at risk (VAR) computations (these and others are dis-cussed in Chapter 13).

Another approach could be to perform the foregoing analysis first and then rank possible losses, probable frequency, maximum and probable single-loss events, and, perhaps, aggregation probability followed by total costs to mitigate impacts to various levels, along with methods of doing so. Management will then be in a posi-tion to decide what would be “appropriate” at what cost.

A third approach can be derived from business continuity planning (BCP) and developing recovery time objectives (RTOs). This will require, at a minimum, busi-ness impact assessment (BIA) and a risk assessment to determine risk level and probability. The determination of the criticality of a particular business process and understanding the impact of failure or compromise followed by the costs of un-availability over time will provide a basis for determining the recovery times need-ed to control impacts. Analysis of what will be requirneed-ed to recover the function within the necessary time will provide a method of determining the cost of doing so.

Since shorter recovery times will usually be more expensive, evaluating the benefits versus the costs will reveal the optimal point at which the cost of losses equals the cost of recovery. Performing this exercise for all critical systems will provide a ba-sis for determining optimal cost/benefit ratios of managing risk that will support-ably be “appropriate.”

There are two problems with this approach. One likely problem is whether man-agement finds the costs acceptable, which experience indicates would not be typi-cal. The other problem is that some aspects are inherently speculative and difficult to determine with certainty, such as the frequency and magnitude of the realization of potential risks.

5.1.4 Verifying that Resources are Used Responsibly

As with other aspects of the governance definition, “responsibly” must be clarified for any form of metrics or monitoring to be reasonably possible. It is a common term;

most will have a reasonably good idea as to its meaning but it is difficult to define with any precision. General clarification can include various specifics such as:

앫 Using resources only for acceptable organizational purposes 앫 Achieving specified levels of utility

앫 Analysis of cost/benefit, showing acceptable levels 앫 Resource allocation based on risk reward analysis 앫 Achieving an anticipated return on investment (ROI) 앫 Realizing targeted productivity gains

There are undoubtedly many additional specifics that might be suitable, but these are typical and relatively straightforward to develop metrics for. Although

many of the metrics suggested will be of significant value at the security manage-ment level, some roll-up or aggregation of this information will provide senior man-agement with the information needed to determine if the program is on track and meeting objectives. The decisions that must be made at the strategic level will typi-cally be whether to do nothing because objectives are being verifiably met, or whether something must be changed because they are not.

REFERENCES

1. Jaquith, A., Yankee Group, “Metrics are Nifty,” Metricon, Metrics Conf., 2006, www.

security metrics org/content/wiki.jsp?page=metricon1.0Keynote, 2006.

2. Enterprise Governance, International Federation of Accountants, 2004.

Information Security Governance. By Krag Brotby 33 Copyright © 2009 John Wiley & Sons, Inc.

Chapter 6