[ad_1]
The last time I discussed the evaluation of alternative strategies to build your information security management system and rationalize your security control based on the context of your organization.
As a reminder, Coso has 5 leading principles and we are on the second leading principle of strategy and objective adjustment. This principle consists of four points:
-
Analyzes the business context
-
Determines the risk appetite
-
Evaluates alternative strategies
-
Formulates business goals
We will handle the fourth point this week – Formulates business goals
Just as the organization must develop business goals that are specific, measurable, achievable, appropriate and timely, and your risk management program.
Determining business goals makes the business strategy for implementation.
Determining tolerance to risk makes the risk appetite possible.
You need to define indicators to measure your cybersecurity program to ensure that the organization works within its specified eligible risk deviations. Techniques such as the Fair of the Open Group (Information Risk Analysis Factor) can help quantify risk and risk tolerance; However, cybersecurity is not an accurate science.
Consider using a combination of quantitative and quality indicators. Believe me, there is room for both of you in your life. Just like the debate of Star Wars against Star Trek. Stop …
My good girlfriend, Caroline Wong, states in her book “Security Metrics, Beginner Guide” that the indicators provide three main advantages (Wong, 2012):
-
The measurement provides visibility.
-
The measurement trains and provides a common language to understand the cybersecurity program.
-
Measurement allows for improvement by providing effective management, investing investment and decision making, while leading to the necessary changes throughout the organization.
Your organization will probably have a different risk appetite for different business units or systems.
This means that permissible risk deviations may differ in different systems or assets.
In other words, indicators may change or have different meanings depending on the context. I will delve into indicators in future publications, but so far here are three things to consider:
-
Understand the reporting tools and resources available to allow you to define and collect indicators.
o You can’t measure data you can’t collect
-
Determine indicators that integrate the appetite of your cyber risk and risk tolerance, which, if you remind you, are derived from the risk of risk of your organization and tolerance to risk. They must come in the form of key effectiveness indicators that lag behind and measure the past, or key risk indicators that lead and give you an idea of what can happen in the near future.
-
Remember your audience. Different indicators are needed for different levels in the organization.
o Operational indicators focus more on data This allows you to manage daily operations and are intended for individual first -line associates and leaders.
o Executive and governing indicators are more concentrated on information And to provide leadership in an idea of how the cybersecurity program is implemented for a certain period of time to allow them to make informed business decisions.
Congratulations! You stayed with me on the 2nd principle of leading goats Strategy and objective setting! Next time we will start on the 3rd leading principle of coso of ImplementationS
As always, I love your comments and if you want to have a direct conversation, please shoot me a message and we will set up something. Thank you and have a great week.
[ad_2]
