Welcome to the cybersecurity leadership and management course. Today we will be discussing cybersecurity actionable KRIs and KPIs, which are key risk indicators and key performance indicators within the NIST cyber risk framework that yield the greatest security, trust and stability. My name is Cicero Chimbanda and I am your instructor for this course. Cybersecurity-actionable KRIs and KPIs within the NIST CRF that yield a greater security, trust and stability. In this course, we will discuss the following. We will look at an overview of the security, trust and stability model. We will look at KRIs and KPIs to talk a little bit more, continuing to discuss what we talked about from last chapter. We will look at the NIST cyber risk framework, an overview. Then we will look at the administrative control metrics for KRIs and KPIs that yield security. We will look at KRI/KPIs under the technical controls that yield trust, and then lastly we will look at physical controls that yield stability. Let's begin. As we have talked about in previous courses, it always begins with the top and beginning with the end in mind. An organization has governance and the governance is an internal system of practices and controls that the company adopts in order to govern itself. It makes decisions, complies with laws, and meets the external stakeholders. Understanding the senior management's mindset begins with understanding the mission and the vision of the organization and therefore, beginning with the strategy and goals of deliverables, this is what dictates the type of measurement that will be taken in an organization. Leadership and management will begin by delivering the following topics. First of all, for security confidentiality, protecting data is of the utmost, so security that aligns within the organization strategy is of the utmost. Then you have integrity; making sure that data is reputable and there's no tampering with the data and also meeting the regulatory obligations , so creating trust. Lastly, availability; making sure that your system's stable, delivering that operational excellence that's required. Well, defining key risks in KPI metrics indicators, best practices. The first important indicator is to make sure that your KRIs and KPIs are aligned with your organization strategy. This basically makes sure that the experts a research has is emphasizing the organizational risks that are important to the senior executives and establishing the return on investment. Making sure that your KRIs and KPIs you have are measurable, metrics that are quantitative, having metrics that are based on real data that can draw true conclusions and that can exude credibility is important. Metrics that tell a story. Security professionals need to have a compelling business resources and stating it in such a way that it makes sense to the strategy goal. Making sure that there's trends, benchmarking with the story that the organization is willing to understand while it's measuring its KRIs and KPIs. Visual; it's important to use graphs, having a graphical presentation, keeping it concise. Less is more when it comes to senior managers. Making sure that the senior managers understand and they have five minutes or less to see what you're trying to present and so you need to have a summary and basically making it visual attractive as we have talked about before in different chapters. Lastly, presenting data-driven among the share metrics outside the department or within the department needs to have data around, could be historical data, it could be trending, it could be time-sensitive, real-time data but your metrics has to be driven by data and the value of your metrics needs to show the accuracy of that data. Now looking at NIST; is a focus program measuring cybersecurity, which is aligning the technical measurements and determining the cybersecurity risks. There are phases within the NIST, you've got the identify, which is the organization understanding the environment. You've got the protect, which is implementing the appropriate safeguards. You've got detect, which is appropriately measuring and identifying cyber risk events. Respond; organization must have the ability to contain the impact and recover and then that's the implement effective activities to restore the services due to an event. Looking at, for example, the Target breach that we discussed in one of the chapters, if we use the NIST model with certain KRI's and KPIs, this would have prevented the risk that the cyber attack happened in Target. Well, how? For example, if you had a KPIs or KRIs around monitoring reconnaissance, looking at key indicators that showed that there were some discovery being done at Target, perhaps there could have been an alert. Looking at multi anti-malware solutions, having a key risk indicators and key performance indicators that surfaced might have caught the anti-malware solution that was not functioning properly. Having monitoring Access Identity Management Systems. Obviously, we know that it was through escalated or elevated privileges that Target was breached, they were able to get that. If you have a reporting on AIM or Access Identity Management, that could have been detected or responding. Obviously, there was some lateral movement, having the ability to whitelist program. Only the allowable programs can function and in certain hosts that would have prevented the Target breach. If you have KRIs or KPIs around that, potentially that could have covered. Lastly, information sharing. Target did not have the ability to have information from other organizations, they weren't participating in a lot of information sharing programs. If that was in place potentially, that could have helped in the recovery of the Target breach. This is applying the NIST framework to prevent attacks. Let's look at some administrative controls within the key risks and key performance indicators. As we talked about it earlier, organization strategy, security, and confidentiality is that alignment. Administrative controls, as we looked at in previous course, for a program, you want to have overall security posture, for task force, risk assessment penetrations to build vulnerability scanning, user awareness training, and incident response; these are some of the key risk indicators. I won't go individually because we covered that in the last course, but then you align them with key performance indicators and you see them side-by-side how you can have key performance indicators and key risk indicators for the same administrative control that's being surfaced for measurement or you can do the same with technical controls that will produce trust. As you're reporting to your regulatory obligation, you have technical controls such as data loss prevention or DLP. You can now quantify the percentage of items or times that specific words are discovered or flagged on a daily basis. You can have that type of metric. You can have IAM, which we talked about earlier, Identity Access Management, having a report of authorized or non authorized users with highly classified, sensitive data. Communication and compliance monitoring system, you can have flagging of employee forwarding and attempting to forward highly classified sensitive data through electronic communication systems. You can have an archiving discovery. You can look at the flagging data that has expired on a network. These are failed deletions. Business and financial systems. Looking at the value of dollars impacted on a monthly basis. Looking at system errors and miscalculations. Human employees or human resources applications. Looking at the report of user ID, personal identifiable information, and records. Then lastly, firm elements and training systems. You can look at the report of employees that completed or failure rate for training and testing. Now, key performance indicators, you can have the quantifying the amount of time it takes to trigger. You can have the user ID, monthly report, data blast, successful login network. This is important because you want to make sure that you don't have any IDs that are not used. You want to make sure that you delete. Sarbanes-Oxley has a 30-day deletion policy of IDs that are expired. Daily, weekly, and monthly inbound or outbound ingestion of communication. You having performances in archiving, discovery. In business financial, having a surveys quality, a quality survey. Then finding out if it's user-friendly. Then lastly, the same thing with firm element training. Customer survey results, user-friendly and training. For HR employee applications, the number of systems failure and outages during critical business. Lastly, let's look at cybersecurity physical control metrics, KRI, KPI that bring stability. As we know, stability, availability, and operational excellence is the key component of delivering the lights on. Looking at this, looking at elements that have key risk indicators. You look at the network operation center, making sure that the cooling and HVAC systems, looking at the reports, that failure rate, preventive maintenance, the time, duration, days, the NOC has not experienced power outages. Looking at the number of duration outages, intermittent interruptions by the different internet service providers and the vendors. Looking at the end-to-end topology. Testing the paths. Looking at servers or controls for unsupported OSs, operating systems. Annual reports for fiber. Making sure that you have a list of cables that have been cut or interrupted by natural disaster or man-made, and quantity of number power supplies damaged in a quarterly basis. These are key risk indicators for physical controls. Then you have network operation centers, the NOC. Looking at quantity, time duration, HVAC remaining, the high-low risk temperatures for the NOC, UPS, and power systems, the time or duration that it has not experienced an outage. The quantity of annual costs for internet service provider versus the budget looking at the ISPs. The wide area network, looking at the routers, looking at network utilization traffic reports, packet loss, the jitters, the latency. Then having redundant fiber cable. The virtual servers and physical servers, looking at the performance, monitoring servers, the CPU, memory, the disk levels, network bandwidth processes. Then redundant fiber cables, looking at the performance. Comparing aerial versus underground installation. Then lastly, dual power supplies. Other reliability measurement, looking at the power quality in power source. So again, these are some KPIs, key performance indicators, and KRIs, key risk indicators, that can be used to measure and to make sure assure that you are delivering security, trust, and stability. This concludes this course. We'll see you at the next one.
