nCircle.com >> 360 Security

« Trusting Software Distribution | Main | SCADAGard SIG To Be Established »

What is Security Performance?

Performance: Primarily linked with availability, throughput and response times, performance is the foremost specific item in determining overall system yield.

Information Security: The CIA triad we live by, “the right information to the right people at the right time”.

To me performance is PART of security, not an adjective thereof. Do you have better security if you get the information to someone faster or with fewer packets?

SysTrust

Recently, I’ve had the opportunity to evaluate some of our internal policies and procedures against that of the AICPA SysTrust standard. As a side note, this published standard is a good place to start if you find ISO 17799 too daunting, but that’s a completely different topic. What caught me off guard in SysTrust is a criteria which says:

“The entity’s confidentiality and security performance is periodically reviewed and compared with the defined confidentiality and related security policies.”

I’ve been gnashing on this one for a while now. There are security metrics (See NIST SP 800-55) of which, when measured, one can derive performance data. Information Security is a defined term, so is performance, what is security performance? I think the team at AICPA may have cut some corners on this one. To use an undefined term in a published standard just adds to the existing daunting tasks of becoming compliant.

If you’d care to attempt to define security performance, send me your ideas.

Posted by storms on December 19, 2006 7:41 AM |

Search


About

This page contains a single entry from the blog posted on December 19, 2006 7:41 AM.

The previous post in this blog was Trusting Software Distribution.

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]