A METHODICAL APPROACH TO KEY CONTROL INDICATORS

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

On its face, the analysis of a key control indicator (KCI) can seem rather straightforward. Do you have confidence in the controls implemented to monitor your environment – are you “in control”?

You will have to answer two questions. First, do you have the controls you need? Second, are they working as intended? Unfortunately, the complexity of security organizations can make it difficult to answer these deceptively simple questions.

For example, you might implement a next generation firewall with a number of security features and opt to enable some of them later. Security operations happens, and your plan is once again overtaken by events (OBE’d) – and who has time to go back?

When it comes to KCIs, you need to plan, execute and monitor your control infrastructure in a managed way. But what is the best way to do that?

First, Examine Your Environment

Similar to key risk indicators (KRIs), it all begins with critical introspection. Where (or what) are your “crown jewels” that you need to protect? From there, what are the compliance/control boundaries?

On-Demand Webinar: Revolutionize Your Reporting with Key Risk, Control and Performance Indicators

Take the time to consider these two questions carefully, as the answers you provide – which will be unique to your organization – will change how you architect your environment, as well as how you protect it.

It is helpful to consider using asset classes of devices, networks, users, data and applications, and breaking each down into the cyber defense categories defined by the National Institute of Standards and Technology (NIST): identify, protect, detect, respond and recover. 

This five-by-five grid will give you a solid foundation for your defensive strategy.

Next, Anticipate Control Complexities

As a baseline, most organizations have policies in place to ensure compliance, procedures that enforce or put those policies into practice, and audits that confirm that those procedures are being followed. Again, as with the concept of the KCI itself, this can seem simple and linear.

In reality, the waters are easily muddied when you take the different variables into account.

You might perform an audit to confirm that all of your compliance boxes are checked appropriately. But, during the course of your business operations, you may have purchased many different systems and products to help prop up your security infrastructure. This can introduce a level of complexity that makes any measurement of what is actually going on quite difficult.

How can you tell what components are contributing to your compliance, what components are working well and what components should be removed from your security infrastructure?

Finally, Measure Control Indicators

When it comes to your controls, in order to have the right policy, procedure and audit processes in place, you need to have that higher-level, comprehensive understanding of your company’s security and compliance environments. This is particularly true, given the fact that often what you are doing in these cases is seeking to detect the unexpected – whether that is a misconfiguration or a security incident.

While often these adverse impacts are analyzed as performance indicators, they can also fall under the umbrella of your control indicators, in the event that a control that should have been in place was not.

By adopting a more measured and methodical approach to how you form those control processes in the first place, the better you will be able to understand your environment, remain in compliance and protect what matters most.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
31 Followers
About FourV Systems
FourV is dedicating to improving the operational performance of IT security programs by empowering leadership to make decisions instead of spending time analyzing data.
Promoted Content
Cyber Security Translation Guide for CISOs
Communicating the Benefits of an IT Security Investment Can Be a Challenge As a chief information security officer (CISO), you know how important it is to invest in the appropriate IT infrastructure in order to keep your business and its assets safe. The difficulty, however, is often communicating the urgency and importance of those investments in a way that resonates with other stakeholders in your organization. This free on-page guide will teach you how to best position your messaging when speaking to non technical leadership.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel