Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

Service-oriented architecture and security or what is the system really worth?

November 10th, 2006 · No Comments ·

Achieving regulatory compliance and satisfactory security in order to protect confidentiality, integrity and availability of data is a challenging task. As pointed out in previous postings (see above) metrics play an important part in these efforts. In fact, metrics can be a decisive help in getting the support of senior management, by focusing their attention upon matters that they perceives as being critical in their risk management and legal compliance strategy.

For instance, the US Postal Service (USPS) uses 130 metrics to track its daily, weekly and monthly security posture.

One metric addresses the data backup procedures with the objective to reach the objective for a three -day data backup for servers. September 2006 was the first month during which USPS succeeded in reaching this goal 100%. Although difficulties in doing some of these backups over remote connections are likely to make it tough reaching this target every month.

The service is averaging two or three unscheduled emergency changes of software or configurations each day, or about 50 to 70 each month. Beginning in 2007, USPS plans to limit that to just one emergency change each day. This target laudable but depends, of course, upon the many types of software the USPS uses and, as well, how many zero-day exploit and others may make life a bit difficult.

_Do the above metrics wo?_

That is the question over the lifetime of the system or software various maintenance work has to be done. Hence, the question must be asked what the cost is for an unscheduled emergency change of software?

Alternatively, what does it cost to fail to patch the system and have a zero-day exploit taken advantage of by a group of hackers?

Wat is software worth?

The above slide also suggests that regulatory compliance may require adaptive maintenace (blue). Corrective maintenance (red) deals with patching and bug fixing. Perfective maintenance (bottom green) deals with the efforts undertaken to keep customers’ satisfied whose expectations tend to grow over the life-time of software or a database (could we not also do this, and what about that :-) ).

Hence, unless metrics also address valuing of security effors in conjunction with numbers obtained from having valued systems and software based on the income that the use of these systems and software is expected to generate in the future may limited the usefulness of certain metrics.

_When metrics achieve the wrong results_

But not all works out okay. For instance, the program was measuring the percentage of problems that were being resolved in just one call to the IT help desk, customer satisfaction actually went down. The USPS people found that help desk workers were focused on clearing a problem on the first call, whether or not the problem was really resolved (i.e. failing to address the root of the problem or the cause of it).

_PS. 1

USPS has an IT infrastructure that encompasses 7,000 networked sites and 175,000 users across the U.S.


→ No CommentsTags: backup · desk · emergency · maintenace · objective · resolved · unscheduled · usps