Thursday, February 28, 2013

Heralding the Dawn of Critical Infrastructure Security Metrics

You may like this blog because of its emphasis on business-oriented security metrics and measurement. Or you may loathe it for the same reason (though if you do, you shouldn't still be visiting much).

Can't measure, can't manage. On this we agree, right?

So ... we're two weeks past the Presidential executive order (EO) that kicked off a new round of meetings that will ultimately produce a new NIST framework for grid security. You can read about the goals for this thing, including the RFI process HERE.

Thanks for EnergySec's Patrick Miller who tweeted yesterday that this round of work is designed, among other things, to produce metrics that can be used to assess the current security posture of your organization.

To whit, "The Framework should include flexible, extensible, scalable, and technology-independent standards, guidelines, and best practices, that provide:
Metrics, methods, and procedures that can be used to assess and monitor, on an
ongoing or continuous basis, the effectiveness of security controls that are
selected and deployed in organizational information systems and environments in
which those systems operate and available processes that can be used to facilitate
continuous improvement in such controls."

Bravo. Also I note and you'll see, in a section called Current Risk Management Practices, these highly metrics-suggestive questions:.
  • How do organizations define and assess risk generally and cybersecurity risk specifically?
  • To what extent is cybersecurity risk incorporated into organizations’ overarching enterprise risk management?
  • What standards, guidelines, best practices, and tools are organizations using to understand, measure, and manage risk at the management, operational, and technical levels?
You can see where this is leading, can't you? I'll plan to be at the first framework development meeting that's open to industry, and will be including my 2 cents in the RFI process as well. Recommend you do same. 

Heard that meeting might be on April 3 and will confirm or revise accordingly.

Photo credit:

No comments: