When HDFC Bank’s infosec initiative reached critical mass in early 2010, CISO Vishal Salvi felt the time had come for finding a way to measure the effectiveness of the program for security to function effectively and optimally. To this end, the bank started looking around in the market for a security metrics standard.
The ISO/IEC 27004 standard for security metrics, which had just been released in December 2009, was zeroed in on. It was a logical extension of ISO 27001, and met all of HDFC Bank’s tactical requirements. A solution was developed based on the standards guidelines to serve HDFC Bank’s security metrics needs.
Why ISO 27004
While HDFC Bank already had metrics measuring outcomes of security initiatives and incidents to facilitate management reporting, this was being done manually. Under the bank’s existing model prior to the ISO 27004 compliance, data had to be collected and organized into charts and PPTs each time there was a management briefing session or an infosec review.
Manually managing metrics was turning out to be unproductive and prone to errors, in addition to not adhering to any standard structure. The implementation of an ISO 27004 based solution would make it possible for Salvi and his team to spend more time managing security rather than generating graphs and charts.
Further, maintaining this data over a period of time in a consistent form and format was turning out to be a hassle. While HDFC Bank had an ambitious automated GRC initiative in the pipeline, there was still some way to go before that materialized. A decision was taken to go for a tactical solution to deal with these issues in the interim. Complying with ISO 27004 was seen as a structured way to approach infosec metrics.
Instances of metrics measured at HDFC Bank
- Users who have completed security course over total.
- Number of encrypted laptops over total.
- Open / closed vulnerabilities based on criticality.
- Orphan IDs in the system.
- Severe security incidents and their analysis.
Phase one: The initial assessment
The initial phase of the exercise was divided into two components. HDFC Bank engaged a consultancy firm for this purpose, which began by gathering data to determine the measurable metrics requirements for each of the 21 components of HDFC Bank’s infosec program, including governance, application security, network security, IDAM and so forth. Attention was paid to what was being measured currently and what was expected to be measured under ISO 27004.
The consulting team and Salvi’s team worked in tandem to this end. Part of the challenge here was ascribing measurable numbers or percentages to security, an area where ISO 27004 helped. The second component of this exercise involved determining data points and thresholds. The team determined how data would be sourced and received. Once this was formalized, the last piece of the puzzle was how the data would be represented.
Building and managing the “Matrix” dashboard
Depending on the defined thresholds, the Matrix dashboard represents the data graphically. Data is fed into the system manually on a monthly basis by the infosec team, for every single measurable component. In addition to representing this data as per requirements, the system also acts as a repository, enabling retrospective analysis. This ISO 27004 compliant system, which took six to seven months to implement after several rounds of testing, has been in place for the last 18 months.
Team members responsible for each security component have data entry rights to the system. In monthly cycles, once data entry is complete, the Matrix dashboard is reviewed by the infosec team. Salvi is the owner of the ISO 27004 complaint dashboard and the product and its results are consumed only by Salvi’s team and several stakeholders in the security committee.
According to Salvi, one of the Matrix system’s limitations is that it is hard coded. He explains further that because the dashboard was meant to be tactical, flexibility was an inevitable tradeoff. Given that the system is not modular, any required change has to be made at the code level.
Security metrics and ROI
Salvi feels that the ISO 27004 compliant dashboard has become invaluable during management review meetings every month. There can now be a constant review of trends and visibility of risk, greatly aiding decision making. This has brought in discipline and rigor to the infosec process. Being tactical, the solution did not require a significant amount of funding and did not require making a business case outside the infosec team. In fact, Salvi feels that ROI has been substantial since implementation 18 months ago, with break-even being achieved a long time back.
The comprehensive repository that now exists for security metrics data would not have been possible without automation. The security reporting process has become extremely streamlined with ISO 27004 compliance, minimizing reliance on individual team members.
Salvi believes that dashboards are more useful to CISOs than higher management, helping them understand the key issues and challenges on the ground better. “It’s been a great enabler for me,” he says, emphasizing that the ISO 27004 initiative has improved HDFC Bank’s security posture.
The road ahead
According to Salvi, the ISO 27004 compliant system is a tactical initiation to automation — a first step towards HDFC Bank’s GRC initiative, which in turn is strategic in nature and is expected to be end-to-end, taking security metrics to the next level. The present system is expected to be decommissioned when IT GRC is fully implemented, incorporating ISO 27004 compliance within. Meanwhile, according to Salvi, the current ISO 27004 compliance measures serve as a proactive way of approaching Information Security Metrics.