Metrics 1: Infosec LOE Drivers - Number of Users

Metrics 1: Infosec LOE Drivers—Number of Users

There are two basic InfoSec LOE drivers within an organization, that is, those things that cause the InfoSec workload to be what it is, increasing or decreasing. The two basic drivers are:

• The number of systems which fall under the purview of the CIAPP and ISSO's overall responsibility for protection; and

• The number of users of those systems.

A question that must be asked is: Why are these metrics worth tracking? They are worth tracking because they drive the InfoSec workload—the LOE—which means they drive the number of hours that the InfoSec staff must expend in meeting their InfoSec responsibilities relative to those systems and users.

As the number of users on IWC networks changes or the number of systems changes, so does the workload; therefore, so does the number of staff required and the amount of budget required—time to do the job. For example, assume that IWC is downsizing—a common occurrence, which ISSOs will eventually face in their InfoSec careers. If the ISSO knows that IWC will downsize its workforce by 10%, and assuming that the workforce all use computers, which is not unusual in today's corporations, the workload should also decrease about 10%. This may cause the ISSO to also downsize (lay off staff) by approximately 10%.

However, the downsizing, whether it is more or less than the IWC average, should be based on the related InfoSec workload. The InfoSec drivers are metrics that can help the ISSO determine the impact of the IWC downsizing on the CIAPP and InfoSec organization. The metrics associated with that effort can also justify downsizing decisions to IWC management—to include possibly downsizing by 5% or 12% instead of 10%. For example, more layoffs may mean more CIAPP-related infractions, which means an increase in noncompliance inquiries, and thus an increase in the workload. Massive layoffs would also mean more work for those who are responsible for deaccessing employees from the systems prior to employment terminations. The metrics can show this work increase and make a case to management for not laying off InfoSec staff until after the other major layoffs have occurred.

Charting LOE through Number of System Users

As an ISSO, you decided that it would be a good idea to use the driver's metric that is used for tracking the number of system users. You have gone through the analytical process to make that decision based on answering the why, what, how, when, who, and where questions.

Why Should These Statistics Be Collected?

The driver's metric which tracks the number of system users for which the ISSO has InfoSec responsibility is used to assist in detailing the needed head-count budget for supporting those users. As an example, the following functions are charted based on the number of IWC system users (Figure 9.2):

• Access control violations;

• Noncompliance inquiries; and

• Awareness briefings.

Figure 9.2: Use of a metrics chart to show how the ISSO and staff are performing their jobs in an efficient manner without a loss of quality service and support.

What Specific Statistics Will Be Collected?

• Total users by location and systems; and

• Total systems by location and type.

How Will These Statistics Be Collected?

• The total number of users will be determined by totaling the number of userids on each network system and adding to it the number of standalone systems. It is assumed that each standalone system has only one user.

• Standalone microcomputers and networked systems (which will count as one system) will be identified and totaled using the approved system documentation on file within the InfoSec organization on the approved systems database. At IWC, all systems processing sensitive IWC information, falling within the categories previously identified at IWC for identifying information by its value, must be approved by the ISSO (designated InfoSec staff members). Therefore, data collection is available through InfoSec organization's records.

When Will These Statistics Be Collected?

The statistics will be compiled on the first business day of each month and incorporated into the Metrics 1, InfoSec Drivers graph, maintained on the InfoSec department's administrative microcomputer.

Who Will Collect These Statistics?

The statistics will be collected, inputted, and maintained by the project leaders responsible for each InfoSec function, such as system accesses and system approvals.

Where (at What Point in the Function's Process) Will These Statistics Be Collected?

The collection of statistics will be based on the information available and on file in the InfoSec organization through close of business on the last business day of the month.

Of course the number of system users affects all InfoSec functions; however, Figure 9.2 is just an example of how the ISSO may want to depict the InfoSec workload. Follow-on charts would show the workload relative to the other InfoSec functions that are affected. The bold fonts are used to highlight important facts that the ISSO wants to emphasize—management's eyes are naturally drawn to bold fonts.

Significance of the System Users Chart

The number of system users is also a driver of InfoSec workload because the InfoSec functions' level of effort (LOE) and some projects are based on the number of users. They include the following:

• The InfoSec staff provides access controls for users;

• The number of noncompliance inquiries will probably increase based on the increased number of users;

• The number of noncompliance inquiries may actually increase when IWC downsizes because of more hostility among the employees (a metrics charts showing caseload may help in defending ISSO staff from more drastic layoffs than may have been required by management);

• The time to review audit trail records will increase as a result of more activity because of more users; and

• The number of awareness briefings and processing of additional awareness material will increase as a result of an increase in users.

Remember that as an ISSO you are also an InfoSec "salesperson" and must effectively advertise and market information and systems protection to IWC personnel. The chart noted in Figure 9.2 and similar charts can be used by the ISSO for the following:

• Justify the need for more budget and other resources;

• Indicate that the CIAPP is operating more efficiently because the budget and other resources have not increased although the number of systems has increased; and

• Help justify why budget and other resources cannot be decreased.

The "Total Users of IWC Networks World-Wide—2002" chart (Figure 9.2) is one of many that can be used to brief management on systems' users, and also for the ISSO to use internally to manage the InfoSec organization. A similar chart (Figure 9.3), related to Figure 9.2 and showing InfoSec LOE systems, is also useful for briefing management for example, on head count and budget matters.

Figure 9.3: The number of IWC systems, a main InfoSec budget driver.

When deciding to develop metrics charts to track workload, efficiency, costs, etc., of that function, always start at the highest level and then develop charts at lower levels (in more detail) that support the overall chart. This is done for several purposes. The ISSO may have limited time to brief a specific audience, and if it is an executive management briefing, the time will be shorter, as usually their attention span is short when it comes to InfoSec matters. So, the "top-down" approach will probably work best. If you have time to brief in more detail, the charts are available. If executive management has a question relative to some level of detail, then the other charts can be used to support the ISSO statements and/or position in reply to the question of the audience. Other systems' users-related charts flow from the main chart (Figure 9.4).

Figure 9.4: The flow of metrics charts related to the system users chart (Figure 9.2). Each box identifies a potential additional metric chart.

Granting Users Access to Systems

A major InfoSec service and support function is to add new users to systems and to provide them new access privileges as directed by their management and information owners.

As part of that service and support effort, the ISSO wants to ensure that these users are given access as quickly as possible, because without their access or new access privileges, the users cannot perform their jobs.

If users cannot gain expeditious access, then the CIAPP is costing IWC in terms of lost productivity of IWC employees or even possibly lost revenue in other forms.

The ISSO, in coordination with the InfoSec staff responsible for the access control function, evaluated the access control process and determined that users should be given access within 24 hours of receipt of a request from management.

The ISSO decided to track this process because of its high visibility. Nothing can damage the reputation of the ISSO and staff faster than a hostile manager whose employees cannot get systems access to be able to do their work, leading, for example, to increased costs due to lost department productivity caused by the slowness of accessing employees to systems. In order to develop a metrics chart, one should first create a flowchart of the function. Then the ISSO can identify statistical collection points for metrics management charts (Figure 9.4).

Anything worth doing does not have to be done perfectly—at first.—Ken Blanchard