Page 195 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 195

Manage the Security Function


               To manage the security function, an organization must implement
               proper and sufficient security governance. The act of performing a risk
               assessment to drive the security policy is the clearest and most direct

               example of management of the security function.

               Security must be cost effective. Organizations do not have infinite
               budgets and thus must allocate their funds appropriately.
               Additionally, an organizational budget includes a percentage of
               monies dedicated to security just as most other business tasks and
               processes require capital, not to mention payments to employees,
               insurance, retirement, and so on. Security should be sufficient to

               withstand typical or standard threats to the organization but not when
               such security is more expensive than the assets being protected. As
               discussed in “Understand and Apply Risk Management Concepts”
               earlier in this chapter, a countermeasure that is more costly than the
               value of the asset itself is not usually an effective solution.

               Security must be measurable. Measurable security means that the

               various aspects of the security mechanisms function, provide a clear
               benefit, and have one or more metrics that can be recorded and
               analyzed. Similar to performance metrics, security metrics are
               measurements of performance, function, operation, action, and so on
               as related to the operation of a security feature. When a
               countermeasure or safeguard is implemented, security metrics should

               show a reduction in unwanted occurrences or an increase in the
               detection of attempts. Otherwise, the security mechanism is not
               providing the expected benefit. The act of measuring and evaluating
               security metrics is the practice of assessing the completeness and
               effectiveness of the security program. This should also include
               measuring it against common security guidelines and tracking the
               success of its controls. Tracking and assessing security metrics are part

               of effective security governance. However, it is worth noting that
               choosing incorrect security metrics can cause significant problems,
               such as choosing to monitor or measure something the security staff
               has little control over or that is based on external drivers.
   190   191   192   193   194   195   196   197   198   199   200