Sunday, January 3, 2010

A Successful Security Program: Metrics and Support are the key ingredients

Brendan Healy, EMTB, CISSP


Metrics can help drive support for Security Programs


Physicians don’t just rely on qualitative measures to determine the proper treatment for a patient. They need solid quantifiable measurements to provide a baseline and determine change in a patient’s status. The same is true of a security program. A senior manager would be more willing to support decisions from security if they could clearly identify the changes and baselines within measurable results. If you can’t measure it then there is an increasing challenge in managing it (Zalud 2009).

Not all metrics are created equal. Finding actionable and meaningful metrics can drive home results with management. Identifying a potential measurement or key performance indicators is an approach that marks progress towards that goal (Zalud 2009).

Once the measurements are defined, collection of the data points can start to occur. Use of survey’s, variance reports and other indicators are all methods of collecting the excellent data points. After the points are collected, baselines can be established and further correlation can occur.




Proper placement within the organization is required for operational effectiveness


Security programs should have a clear and effective reporting structure within an organization. Proper reporting structures are essential for independence and autonomy of any security management.


Security programs are only as effective as the support in which they receive from the senior management. Executive support and management’s buy-in is essential to an effective program. Proper placement within an organization and transparency of actionable metrics helps foster relationships with senior management. In turn, senior management is empowered to make effective decisions based upon good data.

Often physical security programs were placed within human resource, corporate real estate, or other functional areas. Are these the proper places for a program which identifies risks to the organization and takes proactive steps to help mitigate or reduce that risk? Information Security programs have also had a similar lifecycle. Info Sec roots are generally within technology and often report within the Chief Technology or Information Officer’s organizations.

Both physical and information security programs have one major goal, identify and mitigate risk. Security programs should have a reporting structure that has independence to either a board of directors or audit function to ensure proper transparency (McCrie 2007) A “dotted line” or shared responsibility to a third-party outside the main management reporting structure allows for proper segregation of duties, typically required by financial controls. Further, having a solid line to a Chief Operating Officer or Chief Executive Officer can empower management to make good decisions based upon risks which are identified by security teams.

As organization reporting structures evolve, both information and physical programs can increase their abilities to provide transparency. Having proper placement to senior management and providing the management with measurable and actionable metrics to allow those managers to make good decisions is the basis of an effective security program.

References:


Zalud, Bill “New Math: Security Means Business Performance” Security Magazine 1 Aug. 2009: Online


Monday, August 31, 2009

Proposed Cybersecurity Act of 2009 (S.773 )

Take a moment to review and read: http://www.opencongress.org/bill/111-s773/text

A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.

Wednesday, August 26, 2009

SPIN, SCAN, SHIELD…. Police Information Networks, Which one should I belong to and why?

SPIN, SCAN, SHIELD…. Police Information Networks, Which one should I belong to and why?


Ever wanted to know of emerging security and public safety issues before it was after the fact? Police Information Sharing Networks allow the private sector to be informed of changing emergency conditions while maintaining situational awareness. On Long Island, we have a number of great resources at our disposal from the Suffolk, Nassau and New York City Police Departments.


All of the programs, including Infragard, provide a forum for the exchange of information that helps promote public safety, homeland security and the sharing of information to help protect you, your family and your business.


If you don’t hear the alarm, then how effective is it? These programs are only as effective as they membership which they support. Members who actively partake in monitoring the alerts, attending information sessions and staying abreast of changing emergency conditions have the greatest impact on the program.


So which one should you be a part of? SPIN, SCAN and SHIELD all have some unique attributes. Take a look at the table matrix below to find the program or programs that are right for you:


Program

Audience

Location Served

Benefits

Nassau County SPIN

- Security Directors

- Business Managers

Nassau County and Long Island

  • Situational Awareness Alerts via e-mail
  • Training Sessions

Suffolk County SCAN

- Security Directors

- Business Managers

Suffolk County and Long Island

  • Situational Awareness Alerts via e-mail
  • Training Sessions
  • Interest Group Specific Notifications

NYPD Shield

- Security Directors

- Business Managers

New York City

  • Global Intelligence Information
  • Training Sessions
  • Interest Group Specific Notifications


Saturday, May 30, 2009

President Obama Announces Cybersecurity Initiative

President Obama announced yesterday the creation of a Cybersecurity Coordinator within the Executive Branch of the Federal Government. The position will be a central force in the coordination and implementation of federal cyber security polices and initiatives. A new coordinator will also be a member of the National Security team and will have direct access to the President. Five new strategic initiatives will be implemented to meet the challenge:


  • Develop a new comprehensive strategy to secure America’s information and communication networks. The new Cybersecurity Coordinator will work hand-in-hand with the White House Chief Information and Chief Technology Officers
  • Establish working relationships with all in-scope Federal, State and Local Government agencies
  • Strengthen the Public-Private Partnerships
  • Foster and Fund cutting edge research and development
  • Promote cybersecurity through a national campaign

The president commented that the private sector controls and operates most of the critical infrastructure in the United States. The Federal Government cannot act alone in this critical effort to our national security and it is paramount that the Private Sector rise to the occasion. Organizations like the Infragard program that promote the public-private partnerships, need to be funded and fostered to ensure success.


This is an exciting time and stay tuned for more details….

Monday, April 27, 2009

Swine Flu? Get the facts

In response to the latest surge in media coverage regarding the "Swine H1N1" Virus, we have complied a list of sources for detailed information:

Center for Disease Control and Prevention:
http://www.cdc.gov/swineflu/index.htm

http://www.cdc.gov/swineflu/key_facts.htm

World Health Organization, Epidemic and Pandemic Alert and Response:
http://www.who.int/csr/don/en/

Guidance for Prevention and Avoidance:
http://www.cdc.gov/swineflu/swineflu_you.htm

We will continue to provide timely information as we receive it. For briefings and up-to-date secure communications, please visit the Secure Portal of the Infragard site.


Monday, April 20, 2009

LI Infragard is now on Twitter!


Ever wonder what goes on behind the scenes at the Long Island Infragard Chapter?

Now you can know by keeping tabs on our status on Twitter:

https://twitter.com/infragard_li

Tuesday, March 31, 2009

Infragard Long Island March 26, 2009 Meeting



Wow, what a great event we had yesterday at the Suffolk Police Department Police Academy. We had a great time discussing our upcoming events and trying to re-energize the public-private partnership on Long Island. Mark White, Deputy Chief of the Suffolk County Police Department and his team discussed and showed our members the capabilities they have for dealing with unknown substances (read: white powders, chemicals, etc) and how quickly they can determine whether or not they are safe. Also, they showcased the "B.E.A.R" anti-terrorism armored truck. The members had a blast touring this vehicle and we were in awe of all the capabilities that it has to protect our nation's defenders. Many people are unaware that the important tasks of keeping their communities and critical infrastructure protected requires their constant participation. In our day-to-day grind we are always rushing from one place to another (work, school, home, etc.) and we fail to notice how things are changing around our environment, sometimes for better other times for worse. The Long Island Infragard chapter is trying to recruit members to further develop our grassroots movement and help protect our nation, by protecting our own backyard first.

What is Infragard? This is a question that I get asked all the time (did I mention I was not only client, I'm a member?), as summarized on our website (http://www.infragard-li.net/aboutus.htm):

InfraGard is an alliance of businesses, academic institutions, state and local law enforcement agencies, and other organizations, which are unified together to prevent hostile acts against the United States through information and intelligence sharing.

InfraGard is a Federal Bureau of Investigation (FBI) program that began in the Cleveland Field Office in 1996. It was a local effort to gain support from the information technology industry and academia for the FBI’s investigative efforts in the cyber arena. The program expanded to other FBI Field Offices, and in 1998 the FBI assigned national program responsibility for InfraGard to the former National Infrastructure Protection Center (NIPC) and to the Cyber Division in 2003. InfraGard and the FBI have developed a relationship of trust and credibility in the exchange of information concerning various terrorism, intelligence, criminal, and security matters.

The strength of Infragard’s Intelligence and Information sharing is from its Subject Matter Expert membership which represents a wide range of industries, professions and fields.

This organization is membership driven and we can only get out from this program as much as we put into it. If you are interested in learning more about our program please visit our website or contact me directly.

Stay safe!!!