Plans for a Balanced Scorecard Approach to Information Security Metrics

Similar documents
Managing What You Measure

Quadrant I. Module 25: Balanced Scorecard

The IT Balanced Scorecard Revisited

Summary Report Special Funding Project: Establishing an Evaluation Framework for the Culture of Safety in Manitoba

EQUASS 2018 Principles, criteria and Indicators for EQUASS Excellence recognition

ISO 9001 Auditing Practices Group. Aligning the QMS with the achievement of organizational and business success

PART THREE: Work Plan and IV&V Methodology (RFP 5.3.3)

The Balanced Scorecard

The Balanced Scorecard- A strategic Management Tool. By Mr. Tarun Mishra. Prologue:

Top 35 Reasons You Need Contact Center Performance Management

Session 6C Internal audit value Developing metrics to present IA value

ADVANCED INTERNAL AUDIT WORKSHOP

OPTIMIZED FOR EXCELLENCE. An Incentive Compensation Management (ICM) Assessment Case Study of OpenText Corporation

Balanced Scorecard Briefing for NAPA BaSIG

Asset Management. Advancing performance

Information System Strategic Planning Using IT Balanced Scorecard In Ward & Peppard Framework Model

Ensuring BD Success With Metrics-Based Management

EQUASS 2018 Principles, criteria and indicators for EQUASS Assurance recognition

Supplier Partnership. BPF 2123 Quality Management System

The Balanced Scorecard: Translating Strategy into Results

White paper Balanced Scorecard (BSC) Draft Date: July 02, 2012

Balanced Scorecard IT Strategy and Project Management

CMMI Project Management Refresher Training

Measuring and Improving Information Technology Governance through the Balanced Scorecard

Securitas Global and National Accounts Group

Classification of Security Operation Centers

THE BALANCED SCORECARD: A QUALITY ASSURANCE SYSTEM FOR COLLEGE HEALTH KEVIN READDEAN, MSED RENSSELAER POLYTECHNIC INSTITUTE NYSCHA ANNUAL MEETING

Software Quality Management

Correlation matrices between ISO 9001:2008 and ISO 9001:2015

SPTF Universal Standards for. Social Performance. Management. Version 2.0, Published August 2016

CERTIFICATIONS IN HUMAN RESOURCES. SPHRi TM Senior Professional in Human Resources - International TM SPHRi. Exam Content Outline

BALANCE SCORECARD. Introduction. What is Balance Scorecard?

Australian National Audit Office REPORT ON RESULTS OF A PERFORMANCE AUDIT OF THE STRATEGIC PLANNING FRAMEWORK. April kpmg

ISO 9001: 2015 Quality Management System Certification. Awareness Training

Business Framework Change How You Manage Safety

The Impact of Quality Culture on Quality Risk Management. FDA Perspective on Quality Culture; how it Impacts Risk Management

Implementation Guide 2000

INTEGRATING ISO 9000 METHODOLOGIES WITH PROJECT QUALITY MANAGEMENT

Market Systems Enhancement

External Quality Assessment Are You Ready? Institute of Internal Auditors

How a project approach will build change management capability across your organization

ASG s Delivery of BSM Maturity

BEGINNER S GUIDE TO ISO 9001 : Quality Management System Requirements Explained

Quality & Customer Service For Small Organizations

Portfolio Marketing. Research and Advisory Service

Independent Validation of the Internal Auditing Self-Assessment

Type Your Company Name Here. Quality Manual. AS9100 Rev C

Identity and Access Management. Program Primer

Are All Partners Created Equal

Management Systems. Linkage. 26 March Text #ICANN49

Law Firm Procurement Survey Executive Summary

Journal of the University Librarians Association of Sri Lanka, Vol.15, Issue 1, June 2011

Governance SPICE. Using COSO and COBIT Process Assessment Models BPM GOSPEL

In October 1997, the Trade Commissioner Service (TCS) Performance measurement in the Canadian Trade Commissioner Service THE MANAGER S CORNER

GENOME CANADA BOARD OF DIRECTORS ANNUAL QUESTIONNAIRE

Quality Management System Guidance. ISO 9001:2015 Clause-by-clause Interpretation

Looking in The Mirror: Part 1

Supplier Performance Management

Reduces the risk of downtime caused by infrastructure failure.

Strategic Plan SFY Oklahoma Department of Human Services

The BIG question: How can you optimize to drive growth?

Insights on the Road to Implementing Process Based Management

Position Description

Understanding the Balanced

Case Study: Validation Process Efficiency and Cost Reduction Improvements

Terminal Benchmarking Wipro Thought Leadership

Changes Reviewed by Date. JO Technology Manager - Samer Huwwari JO Manager, Risk & Control Technology: Issa Laty. CIO, Jordan- Mohammad Aburoub

ERM: Risk Maps and Registers. Performing an ISO Risk Assessment

ISACA. The recognized global leader in IT governance, control, security and assurance

Health & Safety. Report 2011/12

WORLD-CLASS AUDIT REGULATION November Big Four Inspections Report.

Navigating the New Health Economy

EHQMS Manual & Policy Document

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Catching Fraud During a Recession Through Superior Internal Controls. FICPA s 25 th Annual Accounting Show. J. Stephen Nouss September 29, 2010

International Balanced Scorecard

MENTAL HEALTH IN THE WORKPLACE: ORGANIZATIONAL FACTORS AND RESOURCES ESDC OPEN HOUSE 2015

STRATEGY & RISK OVERSIGHT. David F. Larcker and Brian Tayan Corporate Governance Research Initiative Stanford Graduate School of Business

Implementing an Employee Engagement Programme

When Recognition Matters WHITEPAPER ISO 14001:2015 ENVIRONMENTAL MANAGEMENT SYSTEMS - REQUIREMENTS.

Developing A Traffic Data Performance Measure Program

Evaluating Agile Effectiveness (AE) of Organizations and Programs

Portfolio, Program and Project Management Using COBIT 5

An Introduction to the Green IT Balanced Scorecard as a Strategic IT Management System from An Environmental Perspective

Program Management Professional (PgMP)

A Value Management Approach to Business Transformation

Position Title Customer & Service Delivery Manager, Metropolitan

Main points Background Our audit objective and conclusions Managing for results key findings...243

Welcome! ITSM Academy

VISION, MISSION, VALUES

VISION FROM THE PRESIDENT MISSION VALUES A PARTICIPATORY AND CONSULTATIVE PROCESS

SuprTEK PanOptes TM Continuous Monitoring Platform

Audit of Shared Services Canada s Information Technology Asset Management

Governance and decision rights. HR Business Partner and Centers of Expertise. The HR Chief Operating Officer. HR Organization

World leader in sponsorship strategy, intelligence, valuation and measurement

International Balanced Scorecard Certification Master Class

maps to discuss, compare & measure designʼs contribution & growth"

Choosing the Right UX Vendor

LEAN Processes, Inc. PQC : Our Race Path to Excellence TRAVELLERS HOTEL SUBIC BAY FREEFORT JUNE 11, 2015

UPS UPS Case Abstract

Transcription:

MetriCon 3.0 Workshop Presentation Plans for a Balanced Scorecard Approach to Information Security Metrics Kevin Peuhkurinen The Great-West Life Assurance Company

Background

The Information Security Office (ISO): Provides information security governance services for an Enterprise consisting of 3 insurance companies and 3 investment fund companies, operating in Canada, Europe, and the USA.

Internally, the ISO has structured itself according to 8 functional practices: Policy and Standards Development and Maintenance Risk Analysis Vulnerability Assessments Alert Monitoring and Incident Response Compliance Awareness, Training, and Communication Professional Services Planning and Strategy includes the Information Security Metrics program

The I.S. organization, of which the ISO is a part, is an enthusiastic proponent of the use of the Balanced Scorecard for measuring and reporting on I.T. Governance. The I.S. organization s experiences with their IT BSC program have been included in two books: IMPLEMENTING THE IT BALANCED SCORECARD: Aligning IT with Corporate Strategy by Keyes Strategies For Information Technology Governance by Van Grembergen The IT BSC used by the I.S. organization does provide some reporting on IT risk in general. However, currently our information security-specific measurements are reported through a variety of channels rather than the IT BSC. We are developing a new Information Security BSC to harmonize with the IT BSC already in use.

A Generic Maturity Model for an Information Security Balanced Scorecard Program Level 1 Initial There is evidence that the organization has recognized there is a need for a measurement system for its information security. There are ad hoc approaches to measure information security (e.g. virus counts, number of incidents). This measurement process is often an individual effort in response to specific issues. Level 2 Repeatable Management is aware of the concept of the balanced scorecard and has communicated its intent to define appropriate measures. Measures are collected and presented to management in a scorecard. Linkages between outcome measures and performance drivers are generally defined but are not yet precise, documented or integrated into strategic and operational planning processes. Processes for scorecard training and review are informal and there is no compliance process in place. Level 3 Defined Management has standardized, documented and communicated the BSC through formal training. The scorecard process has been structured and linked to business planning cycle. The need for compliance has been communicated but compliance is inconsistent. Management understands and accepts the need to integrate the BSC within the alignment process of business, IT, and information security. Efforts are underway to change the alignment process accordingly. Level 4 Managed The BSC is fully integrated into the strategic and operational planning and review systems of the business, IT, and information security. Linkages between outcome measures and performance drivers are systematically reviewed and revised based upon the analysis of results. There is a full understanding of the issues at all levels of the organization which is supported by formal training. Long term stretch targets and priorities for information security investment projects are set and linked to the scorecard. Individual objectives of ISO employees are connected with the scorecards and incentive systems are linked to the BSC measures. The compliance process is well established and levels of compliance are high. Level 5 Optimized The BSC is fully aligned with the business and IT strategic management frameworks and vision is frequently reviewed, updated and improved. Internal and external experts are engaged to ensure industry best practices are developed and adopted. The measurements and results are part of management reporting and are systematically acted upon by senior and ISO management. Monitoring, self-assessment and communication are pervasive within the organization and there is optimal use of technology to support measurement, analysis, communication and training. Based on Aligning Business and Information Technology through the Balanced Scorecard at a Major Canadian Financial Group: its Status Measured with an IT BSC Maturity Model (http://www.performancemeasurement.net/news-detail.asp?nid=35) by Ron Saull and Wim Van Grembergen

Our Plans

Objectives of the ISO metrics program: Show value for investment Display linkage between business and I.S. goals and the information security program Demonstrate where additional investment may be warranted Provide input into the strategic planning process for the information security program and track progress towards goals Provide visibility into risk Show trends in risk posture Measure residual risk in our control framework Support the continuous improvement requirements of the functional practices of the ISO Metrics That Matter

Information Security Balanced Scorecard Corporate Contribution Customer Orientation How should information security appear to business and I.S. senior leadership in order to be considered a significant contributor to Enterprise success? How should the Information Security Office appear to its clients in order to be considered a trusted advisor? Internal Processes Future Orientation What services and processes must the Information Security Office excel at in order to satisfy stakeholders and clients? How will we develop the information security skills and knowledge both within the ISO internally and the entire Enterprise necessary to achieve our goal of good governance?

Corporate Contribution: Mission Contribute to the achievement of the goals of our businesses through effective delivery of value-based information security services. Objectives Management of information security expenses Benefit realization on information security investments Provide insight into risk profiles Potential Measures New and retained business where information security was a significant concern Visible risk reduction through closure of exceptions to information security standards Clean regulatory audits and assessments

Customer Orientation: Mission Be the supplier of choice for all information security consulting and other services to the Enterprise. Objectives Client satisfaction High quality, timely, deliverables (e.g. accurate, relevant risk assessments) Potential Measures Hours spent consulting Feedback from internal clients

Internal Process: Mission Deliver timely and effective information security services at targeted service levels and costs. Objectives Practice maturity Process improvement Potential Measures Functional practice maturity levels Internal process effectiveness

Future Orientation: Mission Develop the internal capabilities to learn, innovate, and adapt, and raise information security awareness throughout the Enterprise. Objectives Knowledge management Emerging risks research Heightened information security awareness Potential Measures Information security-related certifications Information security awareness activities

Issues and Concerns Can a single BSC satisfy the needs of multiple stakeholders? Is some sort of dashboard also required? What sort of metrics can be used to measure the cost (and benefits) of all information security technology and processes across a large Enterprise?

Thank You! Kevin.Peuhkurinen@LondonLife.com

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback