Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI

While it has become increasingly apparent that individuals and organizations need a security metrics program, it has been exceedingly difficult to define exactly what that means in a given situation. There are hundreds of metrics to choose from and an organization’s mission, industry, and size will affect the nature and scope of the task as well as the metrics and combinations of metrics appropriate to accomplish it. Finding the correct formula for a specific scenario calls for a clear concise guide with which to navigate this sea of information.

Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI defines more than 900 ready to use metrics that measure compliance, resiliency, and return on investment. The author explains what needs to be measured, why and how to measure it, and how to tie security and privacy metrics to business goals and objectives. The book addresses measuring compliance with current legislation, regulations, and standards in the US, EC, and Canada including Sarbanes-Oxley, HIPAA, and the Data Protection Act-UK. The metrics covered are scaled by information sensitivity, asset criticality, and risk, and aligned to correspond with different lateral and hierarchical functions within an organization. They are flexible in terms of measurement boundaries and can be implemented individually or in combination to assess a single security control, system, network, region, or the entire enterprise at any point in the security engineering lifecycle. The text includes numerous examples and sample reports to illustrate these concepts and stresses a complete assessment by evaluating the interaction and interdependence between physical, personnel, IT, and operational security controls.

Bringing a wealth of complex information into comprehensible focus, this book is ideal for corporate officers, security managers, internal and independent auditors, and system developers and integrators.

About the Author

Debra Herrmann has more than 20 years of experience in software safety, software reliability, and security engineering in industry and the defense/intelligence community, beginning before the Orange Book was issued. Currently she is the Technical Advisor for Information Security and Software Safety for the U.S. Federal Aviation Administration. In this capacity she leads research initiatives to identify engineering best practices to reduce the time and cost to certify and deploy systems, while at the same time increasing confidence in the security and integrity of those systems. Previously she was the ITT Manager of Security Engineering for the $1.78B FAA Telecommunications Infrastructure Program, one of the first programs to apply the Common Criteria for IT Security Evaluation to a nationwide safety-critical WAN. She has published several articles and three other books, each the first full-length book to be published on that topic. Debra has been active in the international standards community for many years, serving as the U.S. Government representative to International Electrotechnical Commission (IEC) software safety standards committees, Chair of the Society of Aerospace Engineers (SAE) subcommittee that issued the JA 1002 software reliability engineering standard, and member of the IEEE Software Engineering Standards balloting pool. She teaches graduate and undergraduate computer science courses and is a frequent invited guest speaker at conferences.