Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
According to cybersecurity solutions company Tenable, 84 percent of U.S. organization turn to to at least one cybersecurity framework in their organization, and 44 percent work with more than one.<ref name="WatsonTopFour19">{{cite web |url=https://www.itgovernanceusa.com/blog/top-4-cybersecurity-frameworks |title=Top 4 cybersecurity frameworks |author=Watson, M. |work=IT Governance USA Blog |publisher=GRC International Group plc |date=17 January 2019 |accessdate=23 July 2020}}</ref> This is done in part to comply with a mix of regulations affecting organizations today, as well as provide a baseline of security policies and protocols, even for the smallest of organizations. In that regard, it makes sense to heavily involve cybersecurity frameworks and controls in the development of your cybersecurity plan.
[[File:Opsview Monitor 6.0 Dashboard.jpg|right|440px]]Your cybersecurity goals are formulated, their associated objectives are set, and security controls are selected. But how should you best measure their implementation, and over what sort of timeline should they be measured? This is where performance indicators come into play. A performance indicator is "an item of information collected at regular intervals to track the performance of a system."<ref name="Fitz-GibbonPerformance90">{{cite book |url=https://books.google.com/books?id=uxK0MUHeiI4C&pg=PA1 |title=Performance Indicators |editor=Fitz-Gibbon, C.T. |publisher=Multilingual Matters Ltd |page=1 |year=1990 |isbn=1853590932}}</ref> They tend not to be perfect measures of performance, but performance indicators remain an important function of quality control and business management. There's also a social aspect to performance indicators: what is the implied message and behavioral implications of implementing such a monitoring system? Does the monitoring of the indicator, in the end, have a beneficial impact?<ref name="Fitz-GibbonPerformance90" />


For the purposes of this guide, the NIST control descriptions found in [https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final NIST Special Publication 800-53, Revision 4]: ''Security and Privacy Controls for Federal Information Systems and Organizations'' are used. While this framework of security and privacy controls is tailored to federal systems and organizations, most of the "Low" baseline controls, as well as select "Moderate" and "High" baseline controls, are still worthy of consideration for non-federal systems and organizations. Additionally, a simplified version of  controls was derived from 800-53 in the form of [https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final NIST Special Publication 800-171, Revision 2]: ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations''. One of the benefits of this set of NIST controls is that it maps to both NIST SP 800-53 and the ISO/IEC 27001:2013 controls. And many of the cybersecurity groups and frameworks listed above have at their base—or are mapped to—those same two groups of controls.
Regardless of what industry you work in, deciding on the most appropriate indicators is no easy task. In March 2019, Axio CTO Jason Christopher spoke at a cybersecurity summit about security metrics (a metric is typically a number-based measurement within an indicator), with a focus on the energy industry. During that talk, he discussed various myths concerning collecting metric data for indicators, as well as the mixed success of tools such as heat maps and scorecards. After highlighting the difficulties, he gave a few pieces of useful advice. Among the more interesting suggestions he turned to was a security metrics worksheet to better define, understand, and track what you'll measure for your indicators. In his example, he used the EPRI's (Electric Power Research Institute) ''Cyber Security Metrics for the Electric Sector'' document, pulling an example metric and explaining how it was created. Among other aspects, their worksheet format includes an identifier for the metric, the associated organizational goal, and the associated cybersecurity control, which helps ensure the metric is aligned with organizational policy, existing terminology, and current best practices.<ref name="ChristopherCreating19">{{cite web |url=https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1552942066.pdf |archiveurl=https://web.archive.org/web/20190926033850/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1552942066.pdf |format=PDF |title=Creating a Security Metrics Program: How to Measure Success |author=Christopher, J.D. |publisher=Axio |date=18 March 2019 |archivedate=26 September 2019 |accessdate=23 July 2020}}</ref><ref name="EPRICyber17">{{cite web |url=https://www.epri.com/#/pages/product/3002010426 |title=Cyber Security Metrics for the Electric Sector: Volume 3 |author=EPRI |date=18 December 2017 |accessdate=23 July 2020}}</ref>


You'll probably want to refer to Appendix 1 of this guide. There you'll find the "Low" baseline controls of NIST SP 800-53, as well as select "Moderate" and "High" baseline controls. For basic organizations working with non-federal data, these controls should prefer a perfectly useful baseline. The control descriptions have been simplified somewhat for quick reading, and any references or additional recommend reading is also added. Finally, you'll also see mapping to what's known as "LIMSpec," an evolving set of software requirements specifications for laboratory informatics systems. If you're not in the laboratory industry, you may not find that mapping entirely useful; however, LIMSpec still includes many specifications that could apply to a broad array of software systems.
Regardless of industry, you may find it useful to use similar worksheet documentation for the indicators you choose to use. Unfortunately, unlike the energy industry, many industries don't have a developed set of technical cybersecurity metrics. However, the ground that EPRI has already covered, plus insights gained during the security controls selection process (see 5.3.10), should aid you in choosing the most appropriate indicators. (An archived version of Jason Christopher's description of the fields on the security metrics worksheet can be found [https://web.archive.org/web/20190926033850/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1552942066.pdf here] [PDF]. The EPRI cybersecurity metrics document can be downloaded for free at [https://www.epri.com/#/pages/product/3002010426/?lang=en-US EPRI.com].) Whatever indicators you choose, be sure they are specific, measurable, actionable, relevant, and focused on a timely nature. In particular, keep the time frame of cybersecurity strategy development and implementation in mind when choosing indicators. If you expect full implementation to take three years but choose indicators outside that time frame, those indicators won't be actionable or timely.<ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate=23 July 2020}}</ref>


Regardless of which frameworks and control groups you choose, you'll want to choose at least one and browse through the controls. Select the controls that map readily to the assessments, objectives, and policies you've already developed. You should even notice that some of the controls match to elements of the cybersecurity plan development steps found in this guide. The NIST control "IR-1 Incident response policy and procedures," for example, ties into step 5.8 of this guide, discussed later.
Finally, consider the advice of author and strategic adviser Bernard Marr that business shouldn't be run heavily on performance indicator data. This goes for the development of your indicators for cybersecurity success. Instead, he says, "the focus should be on selecting a robust set of value-adding indicators that serve as the beginning of a rich performance discussion focused on the delivery of your strategy." He continues with a reminder that real people and their actions are behind the indicators, which shouldn't be taken purely at face value.<ref name="MarrKey12">{{cite book |url=https://books.google.com/books?id=WleQ-F6WC3sC&printsec=frontcover |chapter=Introduction |title=Key Performance Indicators (KPI): The 75 Measures Every Manager Needs to Know |author=Marr, B. |publisher=Pearson UK |year=2012 |page=xxvii |isbn=9780273750116}}</ref>


==References==
==References==
{{Reflist}}
{{Reflist|colwidth=30em}}

Revision as of 16:26, 16 February 2022

Opsview Monitor 6.0 Dashboard.jpg

Your cybersecurity goals are formulated, their associated objectives are set, and security controls are selected. But how should you best measure their implementation, and over what sort of timeline should they be measured? This is where performance indicators come into play. A performance indicator is "an item of information collected at regular intervals to track the performance of a system."[1] They tend not to be perfect measures of performance, but performance indicators remain an important function of quality control and business management. There's also a social aspect to performance indicators: what is the implied message and behavioral implications of implementing such a monitoring system? Does the monitoring of the indicator, in the end, have a beneficial impact?[1]

Regardless of what industry you work in, deciding on the most appropriate indicators is no easy task. In March 2019, Axio CTO Jason Christopher spoke at a cybersecurity summit about security metrics (a metric is typically a number-based measurement within an indicator), with a focus on the energy industry. During that talk, he discussed various myths concerning collecting metric data for indicators, as well as the mixed success of tools such as heat maps and scorecards. After highlighting the difficulties, he gave a few pieces of useful advice. Among the more interesting suggestions he turned to was a security metrics worksheet to better define, understand, and track what you'll measure for your indicators. In his example, he used the EPRI's (Electric Power Research Institute) Cyber Security Metrics for the Electric Sector document, pulling an example metric and explaining how it was created. Among other aspects, their worksheet format includes an identifier for the metric, the associated organizational goal, and the associated cybersecurity control, which helps ensure the metric is aligned with organizational policy, existing terminology, and current best practices.[2][3]

Regardless of industry, you may find it useful to use similar worksheet documentation for the indicators you choose to use. Unfortunately, unlike the energy industry, many industries don't have a developed set of technical cybersecurity metrics. However, the ground that EPRI has already covered, plus insights gained during the security controls selection process (see 5.3.10), should aid you in choosing the most appropriate indicators. (An archived version of Jason Christopher's description of the fields on the security metrics worksheet can be found here [PDF]. The EPRI cybersecurity metrics document can be downloaded for free at EPRI.com.) Whatever indicators you choose, be sure they are specific, measurable, actionable, relevant, and focused on a timely nature. In particular, keep the time frame of cybersecurity strategy development and implementation in mind when choosing indicators. If you expect full implementation to take three years but choose indicators outside that time frame, those indicators won't be actionable or timely.[4]

Finally, consider the advice of author and strategic adviser Bernard Marr that business shouldn't be run heavily on performance indicator data. This goes for the development of your indicators for cybersecurity success. Instead, he says, "the focus should be on selecting a robust set of value-adding indicators that serve as the beginning of a rich performance discussion focused on the delivery of your strategy." He continues with a reminder that real people and their actions are behind the indicators, which shouldn't be taken purely at face value.[5]

References

  1. 1.0 1.1 Fitz-Gibbon, C.T., ed. (1990). Performance Indicators. Multilingual Matters Ltd. p. 1. ISBN 1853590932. https://books.google.com/books?id=uxK0MUHeiI4C&pg=PA1. 
  2. Christopher, J.D. (18 March 2019). "Creating a Security Metrics Program: How to Measure Success" (PDF). Axio. Archived from the original on 26 September 2019. https://web.archive.org/web/20190926033850/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1552942066.pdf. Retrieved 23 July 2020. 
  3. EPRI (18 December 2017). "Cyber Security Metrics for the Electric Sector: Volume 3". https://www.epri.com/#/pages/product/3002010426. Retrieved 23 July 2020. 
  4. Cadmus Group, LLC (30 October 2018). "Cybersecurity Strategy Development Guide" (PDF). National Association of Regulatory Utility Commissioners. https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204. Retrieved 23 July 2020. 
  5. Marr, B. (2012). "Introduction". Key Performance Indicators (KPI): The 75 Measures Every Manager Needs to Know. Pearson UK. p. xxvii. ISBN 9780273750116. https://books.google.com/books?id=WleQ-F6WC3sC&printsec=frontcover.