Information Security Benchmarking Using the Core Data Service (263796097)

14
8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097) http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 1/14 5/1/20 INFORMATION SECURITY BENCHMARKING USING THE CORE DATA SERVICE May 2015 Today’s Speakers Rich Graves, Information Security Officer, Carleton and St. Olaf Colleges Greg Hedrick, Chief Information Security Officer, Purdue University Scott Krajewski, Director of IT, Augsburg College Carol Myers, Interim Dean of IT, Paradise Valley Community College Joanna Grama, Director of Cybersecurity and IT GRC Programs, EDUCAUSE

Transcript of Information Security Benchmarking Using the Core Data Service (263796097)

Page 1: Information Security Benchmarking Using the Core Data Service (263796097)

8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)

http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 1/14

5/1/20

INFORMATION SECURITY

BENCHMARKING USING THE

CORE DATA SERVICE

May 2015

Today’s Speakers

▪ Rich Graves, Information Security Officer, Carleton

and St. Olaf Colleges

▪ Greg Hedrick, Chief Information Security Officer,

Purdue University

▪ Scott Krajewski, Director of IT, Augsburg College

▪ Carol Myers, Interim Dean of IT, Paradise Valley

Community College

▪ Joanna Grama, Director of Cybersecurity and IT GRC

Programs, EDUCAUSE

Page 2: Information Security Benchmarking Using the Core Data Service (263796097)

8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)

http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 2/14

5/1/20

 Agenda

▪ IT Security Metrics & Benchmarking

Generally

▪ EDUCAUSE Core Data Service

▪ 2014 CDS InfoSec Results

▪ Panel Discussion

IT Security Metrics & Benchmarking

Page 3: Information Security Benchmarking Using the Core Data Service (263796097)

8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)

http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 3/14

5/1/20

Metrics Definitions

▪ Metrics =

Measurement +

 Analysis

▪ Helps you understand

the operation of your

organization

IT Security Metrics - Examples

▪ Example IT Security Metric:

▪ The change in number of vulnerabilities rated as “high”

on the IT department’s servers in FY 2014, as

compared to the baseline established in FY 2013.

▪ Other Security metrics we already use (and should

we?)

▪ Responsive requests

▪ Risk (assessments)▪ Vulnerability and incident statistics

▪  Acronyms: ALE, TCO, ROI, etc.

Page 4: Information Security Benchmarking Using the Core Data Service (263796097)

8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)

http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 4/14

5/1/20

Commonly Used IT Security Metrics (CDS M7, Q12)

▪ Only 50% of U.S. institutions track information security

metrics.

▪ Those that did most commonly tracked:

1. Vulnerability scan coverage (35%, all U.S.)

2. Incident rate (29%, all U.S.)

3. Number of known vulnerability instances (27%, all U.S.)

4. Patch management coverage (27%, all U.S.)

5. Patch policy compliance (26%, all U.S.)

Benchmarking Definition

▪ Benchmarking = Comparing your metrics to

an internal or external reference point for

evaluation

▪ Helps you judge the quality of your

organization and drive actions for future

change

Page 5: Information Security Benchmarking Using the Core Data Service (263796097)

8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)

http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 5/14

5/1/20

Steps for Successful Benchmarking

What is the Core Data Service?

Page 6: Information Security Benchmarking Using the Core Data Service (263796097)

8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)

http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 6/14

5/1/20

Success comes from knowing, not guessing.

Free Benchmarking Services

Used Since 2002 to Inform Strategic IT Planning and

Management

Provide evidence Evaluate Calibrate

3 Easy Steps

CONTRIBUTEADD DATA

CDS SURVEY

COMPAREACCESS DATA

CDS REPORTING

INTERPRETVIEW TRENDS

CDS PUBLICATIONS

Page 7: Information Security Benchmarking Using the Core Data Service (263796097)

8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)

http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 7/14

5/1/20

CDS Reporting is powered by

Step 2: Access the data

CDS Executive Summary Report

CDS Almanacs

ECAR Analysis of Core Data (accessible to ECAR subscribing institutions)

Subscribe to the CDS Update Newsletter 

Quick Reference Resources

The results today’s panelists found most interesting.

2014 CDS InfoSec Results

Page 8: Information Security Benchmarking Using the Core Data Service (263796097)

8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)

http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 8/14

5/1/20

2014 Central IT Expenditures by IT Domain(CDS M1, Q20)

The Challenge of Staffing (CDS M1, Q28)

Page 9: Information Security Benchmarking Using the Core Data Service (263796097)

8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)

http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 9/14

5/1/20

Peer InfoSec FTE: Small & Shrinking(CDS M1, Q28)

...but possibly

misleading, because

in 40% of cases, the

“CISO” is also the

CIO.

Most Active Collaboration area: REN-ISAC(CDS M7, Q13)

REN-ISAC: 67%

SECURITY: 56%

Regional: 39%

Page 10: Information Security Benchmarking Using the Core Data Service (263796097)

8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)

http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 10/14

5/1/20

The Challenge of Mandatory InfoSec

Training(CDS M7, Q10)

The Challenge of Mandatory InfoSecTraining (CDS M7, Q10)

Page 11: Information Security Benchmarking Using the Core Data Service (263796097)

8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)

http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 11/14

5/1/20

Use of Information Security Risk Assessments(M7, Q8-9)

Page 12: Information Security Benchmarking Using the Core Data Service (263796097)

8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)

http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 12/14

5/1/20

Reasons for InfoSec Risk Assessments(CDS M7, Q9)

Status of Security Frameworks at Institutions(CDS M7, Q7)

Page 13: Information Security Benchmarking Using the Core Data Service (263796097)

8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)

http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 13/14

Page 14: Information Security Benchmarking Using the Core Data Service (263796097)

8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)

http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 14/14

5/1/20

Today’s Speakers

▪ Rich Graves, Information Security Officer, Carleton

College

▪ Greg Hedrick, Chief Information Security Officer,

Purdue University

▪ Scott Krajewski, Director of IT, Augsburg College

▪ Carol Myers, Interim Dean of IT, Paradise Valley

Community College

▪ Joanna Grama, Director of Cybersecurity and IT GRC

Programs, EDUCAUSE