The IT department of a financial institution usually monitors threat indicators from many different systems. It is best practice to provide reporting of the most important metrics from this monitoring to senior management and to the board.
Deciding which of the many metrics to report can be the difficult part. It is critical to communicate important events and to demonstrate the effectiveness of the security program without overwhelming your audience that might not be technical-minded.
This week, we wanted to share a list of metrics that we commonly see reported to senior management and to the board of financial institutions. These metrics do a good job of balancing communicating important information without losing or overwhelming your audience. The metrics are as follows:
- IDS/IPS Incidents: The Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) monitors key network connections for events which may indicate an attempted intrusion. An IPS will go a step further and try to block the suspicious traffic automatically. The IDS/IPS system should alert IT when suspicious events are detected, and IT should investigate these and maintain a log of actions taken. Metrics regarding these alerts and actions taken should be reported to management.
- Antivirus Events and Status: Any virus alerts received from antivirus systems should be logged and reported to management, along with actions taken. We also recommend including the status of antivirus signature updates to management so that they are aware if any systems are at risk due to failed updates.
- Web Filtering Statistics: Reporting on the number of blocked web browsing demonstrates to management that web filtering controls are working properly. If the web filter provides details regarding specific blocked threats (blocked malware, etc.), we recommend including these statistics also.
- Email Filtering Statistics: Providing management with insight into what percentage of incoming email is blocked before getting to users is normally an eye-opening experience because the percentages are usually quite high. If the filtering solution provides deeper statistics into reason for blocking (spam, language, detected viruses, etc.), we recommend including these breakdowns in management reporting.
- Patching & Vulnerability Management: Reporting on number of outstanding patches and vulnerabilities to management is an expectation of regulators. If possible, we encourage institutions to provide aging context (how old are the vulnerabilities or patches). We also recommend providing metrics on number of remediated vulnerabilities and/or patches applied to show diligence in the vulnerability and patch management programs.
If your institution needs assistance in creating meaningful cybersecurity management reporting we have a couple CySPOT™ modules that might be a good fit.
With our Governance module we work with you to create a strategic plan and build out your information security program annual tasklist and calendar. But we also lead the monthly information security meetings, create the agenda, and keep the minutes. This allows you to be certain you're reviewing the right reports and covering all the items from month to month that you should be. Giving your team a clear picture of your program.
The other module that provides a great reporting from month to month is our Monitoring and Oversight module. With it you get what we call a "Key Risk Indicator" Dashboard, aka a high-level snapshot of your risk position. Your vCISO Specialist will work with your institution to identify and regularly receive the most useful reports for monitoring key controls. They will then review reports and provide a monthly summary of statistics to management as a KRI dashboard.
If you'd like more information on either of these modules, shoot us an email at support@bedelsecurity.com.