Security policy evaluation using balanced scorecards
Download
1 / 29

Security Policy Evaluation Using Balanced Scorecards - PowerPoint PPT Presentation


  • 192 Views
  • Uploaded on

Security Policy Evaluation Using Balanced Scorecards. Mohamad El Osta MBA 737 April 29, 2008. Agenda. Performance Evaluation Methodology Limitation Balanced Scorecards Perspectives and Methodology Security Metrics Conclusion. Performance Evaluation.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Security Policy Evaluation Using Balanced Scorecards' - barny


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Security policy evaluation using balanced scorecards

Security Policy Evaluation Using Balanced Scorecards

Mohamad El Osta

MBA 737

April 29, 2008


Agenda
Agenda

  • Performance Evaluation

  • Methodology Limitation

  • Balanced Scorecards

  • Perspectives and Methodology

  • Security Metrics

  • Conclusion


Performance evaluation
Performance Evaluation

  • Managers and chief executives have to be proactive in tracking the operation of their business

  • Organizations used to track their performance by relying solely on financial metrics like:

    • Increase of revenue

    • Increase of profit margin

    • Return on assets (ROA) and investments (ROI)


Limitations
Limitations

  • Vital dimensions of the business can go unnoticed by time if financial metrics alone were used.

  • Customers might be unsatisfied with the product and are waiting for the competition to switch products.

  • Employees’ emotions due to dissatisfaction might be running high, until “crunch point” suddenly arise.


Definition
Definition

  • Balanced Scorecard (BSC): “is a strategic planning and management system that is used to align business activities to the vision and strategy of the organization, improve internal and external communications, and monitor organization performance against strategic goals.”1

    • As defined by the Balanced Scorecard Institute

1 http://www.balancedscorecard.org/BSCResources/AbouttheBalancedScorecard/tabid/55/Default.aspx, 04/27/2008


History
History

  • The “Balanced Scorecard” term was coined in 1992 by two authors:

    • Robert S. Kaplan – Professor at Harvard Business School

    • David P. Norton

  • Harvard Business Review article titled: “The Balanced Scorecard: Measures that Drive Performance.”

  • Performance measurement reporting existed before since the 50s at General Electric.


Facts
Facts

  • By 2006, 70% of organizations at least implemented partially a BSC.

  • Private sector, public sector and non-profit organizations have successfully implemented BSC.

  • French process engineers created “Tableau de Bord”– dashboard – for measuring performance in the early 1900s.


Bsc perspectives
BSC Perspectives

  • BSC translates the business strategy into four perspectives:

    • Customer

    • Financial

    • Business Processes

    • Learning and Growth

  • Goal is to achieve a balance in the following:

    • Between internal and external measures

    • Between objective and subjective measures

    • Between performance and drivers of results




  • Planning areas
    Planning Areas

    • There are four areas of planning for each perspective:

    • Objectives:

      • The set of results that are needed by the business to sustain its vision based on its strategy.

    • Measures:

      • Are the observable key performance indicators (KPI) that measures the progress of each objective.


    Planning areas1
    Planning Areas

    • Targets:

      • Are the set values of measures that the business wants to achieve by the objectives.

    • Initiatives:

      • A set of action items for each objective created as a plan of how to reach the objective.



    Source: http://www.balancedscorecard.org/BSCResources/TheNineStepstoSuccess/tabid/58/Default.aspx


    Implementation process
    Implementation Process http://www.balancedscorecard.org/BSCResources/TheNineStepstoSuccess/tabid/58/Default.aspx

    • Implementing BSC is done through 4 steps:

    • Translation of Vision:

      • Create strategic objectives from the vision.

      • Setup quantifiable metrics to measure objectives.

    • Communicating Objectives:

      • Create SMART goals from the strategic objectives.

      • Communicate these goals through out the organization.


    Implementation process1
    Implementation Process http://www.balancedscorecard.org/BSCResources/TheNineStepstoSuccess/tabid/58/Default.aspx

    • Setting Targets and Aligning Initiatives:

      • Create achievable targets for each perspective.

      • Align initiatives to achieve specified targets.

    • Learning and Feedback:

      • Get feedback on setup initiatives through metrics.

      • Learn continuously from success/failure of strategy.


    Benefits of bsc
    Benefits of BSC http://www.balancedscorecard.org/BSCResources/TheNineStepstoSuccess/tabid/58/Default.aspx

    • Enhance organizational focus on results and strategy.

    • Improve business performance by tracking a comprehensive set of KPIs.

    • Align the organizational strategy with the projects and work employees do.

    • Concentrate on the drivers of future performance.

    • Enhance the communication of vision and strategy throughout the organization.

    • Prioritize the business projects based on the strategy.


    Information security
    Information Security http://www.balancedscorecard.org/BSCResources/TheNineStepstoSuccess/tabid/58/Default.aspx

    • Information Security (IS): “is protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction”1

    • “The truth is that security is as much an issue of people and process as it is technology.”2

    • Tracking the performance and compliance of a security policy is as important as having one!

    1 http://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003542----000-.html

    2 http://www.techlinks.net/CommunityPublishing/tabid/92/ArticleType/ArticleView/ArticleID/3855/Default.aspx, 04/27/2008


    Is components
    IS Components http://www.balancedscorecard.org/BSCResources/TheNineStepstoSuccess/tabid/58/Default.aspx

    • Information Security has 3 components – commonly known as the “CIA triad”:

    • Confidentiality: means that data can only be accessed by authorized personnel.

    • Integrity: means that data can not be created, changed, or deleted without authorization.

    • Availability: means that information and their systems are available and correctly functioning when needed.


    Is triad diagram
    IS Triad Diagram http://www.balancedscorecard.org/BSCResources/TheNineStepstoSuccess/tabid/58/Default.aspx


    Is and bsc
    IS and BSC http://www.balancedscorecard.org/BSCResources/TheNineStepstoSuccess/tabid/58/Default.aspx

    • BSC have been used in every function of the business.

    • Recently organizations started to use BSC to manage the implementation of their security policy.

    • ISO-17799 is a standard of security controls that can be implemented and monitored through the use of BSC.


    Security metrics
    Security Metrics http://www.balancedscorecard.org/BSCResources/TheNineStepstoSuccess/tabid/58/Default.aspx

    • Security Metric: “For an entity (system, product, facility, asset or other) for which security is a meaningful concept, there are identifiable attributes that collectively characterize the security of that entity. A security metric, or combination of metrics, is a quantitative measure of much of that attribute the entity possesses.”1

    1 https://www.securityexecutivecouncil.com/content/Security_Metrics_09_14_05_v4_NN.ppt


    Example metrics
    Example Metrics http://www.balancedscorecard.org/BSCResources/TheNineStepstoSuccess/tabid/58/Default.aspx

    • Some example of security metrics used in the industry:

      • Intrusion attempts

      • Invalid logins

      • Admin violations

      • Spam detected

      • Viruses detected

      • Unauthorized access attempt


    Proposed bsc for security
    Proposed BSC for Security http://www.balancedscorecard.org/BSCResources/TheNineStepstoSuccess/tabid/58/Default.aspx

    • Dr. Lori L. DeLooze has created a BSC for computer security.1

    • She has proposed this scorecard based on 4 perspectives:

      • Users

      • System Administrators

      • System Owners

      • Auditors

    1 http://www.itoc.usma.edu/workshop/2006/program/Presentations/IAW2006-01-3.pdf


    Security bsc diagram
    Security BSC Diagram* http://www.balancedscorecard.org/BSCResources/TheNineStepstoSuccess/tabid/58/Default.aspx

    * http://www.itoc.usma.edu/workshop/2006/program/Presentations/IAW2006-01-3.pdf


    Security strategy
    Security Strategy http://www.balancedscorecard.org/BSCResources/TheNineStepstoSuccess/tabid/58/Default.aspx

    • Vision: to have a secure information system that provides the “CIA triad.”

    • Strategy has 2 components:

      • Provide cost-efficient security service

      • Reduce risk and damage from attacks

    • Each perspective will be analyzed and evaluated based on those 2 strategic criteria.


    Security bsc for s1
    Security BSC for S1 http://www.balancedscorecard.org/BSCResources/TheNineStepstoSuccess/tabid/58/Default.aspx


    Security bsc for s2
    Security BSC for S2 http://www.balancedscorecard.org/BSCResources/TheNineStepstoSuccess/tabid/58/Default.aspx


    Q&A http://www.balancedscorecard.org/BSCResources/TheNineStepstoSuccess/tabid/58/Default.aspx


    ad