Information Security Benchmarking Using the Core Data Service (263796097)

8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)

http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 1/14

5/1/20

INFORMATION SECURITY

BENCHMARKING USING THE

CORE DATA SERVICE

May 2015

Today’s Speakers

▪ Rich Graves, Information Security Officer, Carleton

and St. Olaf Colleges

▪ Greg Hedrick, Chief Information Security Officer,

Purdue University

▪ Scott Krajewski, Director of IT, Augsburg College

▪ Carol Myers, Interim Dean of IT, Paradise Valley

Community College

▪ Joanna Grama, Director of Cybersecurity and IT GRC

Programs, EDUCAUSE



5/1/20

Agenda

▪ IT Security Metrics & Benchmarking

Generally

▪ EDUCAUSE Core Data Service

▪ 2014 CDS InfoSec Results

▪ Panel Discussion

IT Security Metrics & Benchmarking



5/1/20

Metrics Definitions

▪ Metrics =

Measurement +

Analysis

▪ Helps you understand

the operation of your

organization

IT Security Metrics - Examples

▪ Example IT Security Metric:

▪ The change in number of vulnerabilities rated as “high”

on the IT department’s servers in FY 2014, as

compared to the baseline established in FY 2013.

▪ Other Security metrics we already use (and should

we?)

▪ Responsive requests

▪ Risk (assessments)▪ Vulnerability and incident statistics

▪ Acronyms: ALE, TCO, ROI, etc.



5/1/20

Commonly Used IT Security Metrics (CDS M7, Q12)

▪ Only 50% of U.S. institutions track information security

metrics.

▪ Those that did most commonly tracked:

1. Vulnerability scan coverage (35%, all U.S.)

2. Incident rate (29%, all U.S.)

3. Number of known vulnerability instances (27%, all U.S.)

4. Patch management coverage (27%, all U.S.)

5. Patch policy compliance (26%, all U.S.)

Benchmarking Definition

▪ Benchmarking = Comparing your metrics to

an internal or external reference point for

evaluation

▪ Helps you judge the quality of your

organization and drive actions for future

change



5/1/20

Steps for Successful Benchmarking

What is the Core Data Service?



5/1/20

Success comes from knowing, not guessing.

Free Benchmarking Services

Used Since 2002 to Inform Strategic IT Planning and

Management

Provide evidence Evaluate Calibrate

3 Easy Steps

CONTRIBUTEADD DATA

CDS SURVEY

COMPAREACCESS DATA

CDS REPORTING

INTERPRETVIEW TRENDS

CDS PUBLICATIONS



5/1/20

CDS Reporting is powered by

Step 2: Access the data

CDS Executive Summary Report

CDS Almanacs

ECAR Analysis of Core Data (accessible to ECAR subscribing institutions)

Subscribe to the CDS Update Newsletter

Quick Reference Resources

The results today’s panelists found most interesting.

2014 CDS InfoSec Results



5/1/20

2014 Central IT Expenditures by IT Domain(CDS M1, Q20)

The Challenge of Staffing (CDS M1, Q28)



5/1/20

Peer InfoSec FTE: Small & Shrinking(CDS M1, Q28)

...but possibly

misleading, because

in 40% of cases, the

“CISO” is also the

CIO.

Most Active Collaboration area: REN-ISAC(CDS M7, Q13)

REN-ISAC: 67%

SECURITY: 56%

Regional: 39%



5/1/20

The Challenge of Mandatory InfoSec

Training(CDS M7, Q10)

The Challenge of Mandatory InfoSecTraining (CDS M7, Q10)



5/1/20

Use of Information Security Risk Assessments(M7, Q8-9)



5/1/20

Reasons for InfoSec Risk Assessments(CDS M7, Q9)

Status of Security Frameworks at Institutions(CDS M7, Q7)



5/1/20

Today’s Speakers

▪ Rich Graves, Information Security Officer, Carleton

College

▪ Greg Hedrick, Chief Information Security Officer,

Purdue University

▪ Scott Krajewski, Director of IT, Augsburg College

▪ Carol Myers, Interim Dean of IT, Paradise Valley

Community College

▪ Joanna Grama, Director of Cybersecurity and IT GRC

Programs, EDUCAUSE

Information Security Benchmarking Using the Core Data Service (263796097)

Documents

Transcript of Information Security Benchmarking Using the Core Data Service (263796097)