Information security measurement infrastructure for KPI visualization

In last decade information security standards became well documented starting with ISO 27001:2005 which defines requirements for a organisation's Information Security Management System (ISMS). Other standards such as ISO 27004:2009, 27003, and 27005 are published later too. Organisational ISMS can be certifies for ISO 27001:2005 certificate and it adopts Plan-Do-Check-Act (PDCA) life cycle of constant system improvements. To be able to improve operations and information security ISO 27004:2009 standard has to be used to create useful Key Performance Indicators (KPI) in order to achieve constant improvements of the ISMS. During phase of maintenance every system needs infrastructure to collect data, analyse data and then to create KPI for constant improvements. In this paper is presented information security measurement infrastructure for KPI visualisation based on practical experience from production system in financial surrounding.

[1]  Debra Herrmann,et al.  Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI , 2007 .

[2]  Reijo Savola,et al.  A visualization and modeling tool for security metrics and measurements management , 2011, 2011 Information Security for South Africa.

[3]  Kevin M. Stine,et al.  Performance Measurement Guide for Information Security , 2008 .

[4]  Krag Brotby Information Security Management Metrics , 2008 .

[5]  Andrew Jaquith Security Metrics: Replacing Fear, Uncertainty, and Doubt , 2007 .

[6]  Alan Calder Implementing Information Security based on ISO 27001/ISO 27002 , 2009 .

[7]  Igor Nai Fovino,et al.  Approach to security assessment of critical infrastructures' information systems , 2011, IET Inf. Secur..

[8]  Wayne A. Jansen,et al.  Directions in Security Metrics Research , 2009 .

[9]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[10]  Shirley C. Payne,et al.  A Guide to Security Metrics , 2007 .

[11]  Lori Homsher Gathering Security Metrics and Reaping the Rewards , 2009 .

[12]  Sachin Shetty,et al.  Application Security in the ISO27001 Environment , 2008 .

[13]  Alan Calder,et al.  Information Security Risk Management for ISO27001/ISO17799 , 2007 .