Information Security Benchmarking Using the Core Data Service (263796097)
Transcript of Information Security Benchmarking Using the Core Data Service (263796097)
8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)
http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 1/14
5/1/20
INFORMATION SECURITY
BENCHMARKING USING THE
CORE DATA SERVICE
May 2015
Today’s Speakers
▪ Rich Graves, Information Security Officer, Carleton
and St. Olaf Colleges
▪ Greg Hedrick, Chief Information Security Officer,
Purdue University
▪ Scott Krajewski, Director of IT, Augsburg College
▪ Carol Myers, Interim Dean of IT, Paradise Valley
Community College
▪ Joanna Grama, Director of Cybersecurity and IT GRC
Programs, EDUCAUSE
8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)
http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 2/14
5/1/20
Agenda
▪ IT Security Metrics & Benchmarking
Generally
▪ EDUCAUSE Core Data Service
▪ 2014 CDS InfoSec Results
▪ Panel Discussion
IT Security Metrics & Benchmarking
8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)
http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 3/14
5/1/20
Metrics Definitions
▪ Metrics =
Measurement +
Analysis
▪ Helps you understand
the operation of your
organization
IT Security Metrics - Examples
▪ Example IT Security Metric:
▪ The change in number of vulnerabilities rated as “high”
on the IT department’s servers in FY 2014, as
compared to the baseline established in FY 2013.
▪ Other Security metrics we already use (and should
we?)
▪ Responsive requests
▪ Risk (assessments)▪ Vulnerability and incident statistics
▪ Acronyms: ALE, TCO, ROI, etc.
8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)
http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 4/14
5/1/20
Commonly Used IT Security Metrics (CDS M7, Q12)
▪ Only 50% of U.S. institutions track information security
metrics.
▪ Those that did most commonly tracked:
1. Vulnerability scan coverage (35%, all U.S.)
2. Incident rate (29%, all U.S.)
3. Number of known vulnerability instances (27%, all U.S.)
4. Patch management coverage (27%, all U.S.)
5. Patch policy compliance (26%, all U.S.)
Benchmarking Definition
▪ Benchmarking = Comparing your metrics to
an internal or external reference point for
evaluation
▪ Helps you judge the quality of your
organization and drive actions for future
change
8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)
http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 5/14
5/1/20
Steps for Successful Benchmarking
What is the Core Data Service?
8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)
http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 6/14
5/1/20
Success comes from knowing, not guessing.
Free Benchmarking Services
Used Since 2002 to Inform Strategic IT Planning and
Management
Provide evidence Evaluate Calibrate
3 Easy Steps
CONTRIBUTEADD DATA
CDS SURVEY
COMPAREACCESS DATA
CDS REPORTING
INTERPRETVIEW TRENDS
CDS PUBLICATIONS
8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)
http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 7/14
5/1/20
CDS Reporting is powered by
Step 2: Access the data
CDS Executive Summary Report
CDS Almanacs
ECAR Analysis of Core Data (accessible to ECAR subscribing institutions)
Subscribe to the CDS Update Newsletter
Quick Reference Resources
The results today’s panelists found most interesting.
2014 CDS InfoSec Results
8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)
http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 8/14
5/1/20
2014 Central IT Expenditures by IT Domain(CDS M1, Q20)
The Challenge of Staffing (CDS M1, Q28)
8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)
http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 9/14
5/1/20
Peer InfoSec FTE: Small & Shrinking(CDS M1, Q28)
...but possibly
misleading, because
in 40% of cases, the
“CISO” is also the
CIO.
Most Active Collaboration area: REN-ISAC(CDS M7, Q13)
REN-ISAC: 67%
SECURITY: 56%
Regional: 39%
8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)
http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 10/14
5/1/20
The Challenge of Mandatory InfoSec
Training(CDS M7, Q10)
The Challenge of Mandatory InfoSecTraining (CDS M7, Q10)
8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)
http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 11/14
5/1/20
Use of Information Security Risk Assessments(M7, Q8-9)
8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)
http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 12/14
5/1/20
Reasons for InfoSec Risk Assessments(CDS M7, Q9)
Status of Security Frameworks at Institutions(CDS M7, Q7)
8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)
http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 13/14
8/9/2019 Information Security Benchmarking Using the Core Data Service (263796097)
http://slidepdf.com/reader/full/information-security-benchmarking-using-the-core-data-service-263796097 14/14
5/1/20
Today’s Speakers
▪ Rich Graves, Information Security Officer, Carleton
College
▪ Greg Hedrick, Chief Information Security Officer,
Purdue University
▪ Scott Krajewski, Director of IT, Augsburg College
▪ Carol Myers, Interim Dean of IT, Paradise Valley
Community College
▪ Joanna Grama, Director of Cybersecurity and IT GRC
Programs, EDUCAUSE