Often after a huge compliance investment, both the management and security teams lose sight of exchanging information on health of the organization in terms of security. Here are some of the key elements that must be reported to keep the management aware of changes on the ground:
  1. New asset additions – Addition of new assets pose new challenges for security. Always keep management informed what new assets have been added. Avoid reporting assets which are already there, as this may lead readers to lose interest in the report. upon knowing new assets being added, everyone will be interested in knowing what controls have been added.
  2. New risks identified – This follows the new asset additions, but new risks may be a result of so many organization changes beyond the scope of assets. New risks can be as a result of changes in business strategy, customer requirements, operating environments, legal requirements, hazards and/or financial changes – each of which may have an impact on the risk management. New risks are those that does not have a mitigation plan yet, but information about the risk is relevant for management for risk decisions.
  3. New controls added – this can be a result of recent decision to address a new risk. This can be a new technical, physical, procedural or personnel control. Note that a new control always is perceived negatively as it may be seen as a operations hindrance. So write convincing business justification to support why a specific control has been added.
  4. Attack information – updates from log analysis especially gateway devices such as spoofing attacks, unauthorized access attempts to key applications, numbers of servers remaining un-patched despite a ‘critical’ patch release, number of theft attempts captured in CCTV – are some of attack information that helps management keeps track of number of break-in attempts. Consider both attacks within and outside the organization including physical area, industry sector as relevant. Sometimes this is just a trend information as you may not be able to prevent, but will be able to verify whether your BCP can handle such events in they really turn into incidents for you.
  5. Number of new vulnerabilities in the wild relevant to our infrastructure – Availability of independent vulnerability sources such as CERT as well as OEM reported vulnerabilities – provides huge information, therefore it is important to pick out vulnerabilities relevant to organizations’ own infrastructure. Having identified the relevant vulnerability and how you are tracking to closure would be of interest to management.
  6. Number of people trained in security – this may be both as part of the joining formalities and otherwise. This is an indicator of how many are being made of organizations’ policies and gives confidence as to how many are left, if any. Training should also include technical skills as well as restoration skills.
  7. Number of reported vulnerabilities within the organization – this is an important indicator of how people participated in the security process and they are reporting incidents/weaknesses. Note that more people report an incident, more aware is your organization.
  8. Metric performance – if you are compliant to an international standard (such as ISO 27001) you are also required to report performance of security metrics as part of regular reporting. Unlike previous points, in metrics the management has set a target for performance for a security process. Deviations from the target are a subject of root cause analysis (RCA) and should be investigated as part of the compliance process.
Source: www.coralesecure.com