Information Technology Reference
In-Depth Information
4.4.5
Analysis
The IAQP analysis step describes how to analyze parameters in terms that have
meaning to the intended audience, i.e., executives, management, operations, and
users. The result of analyzing the IA quantification data provides input to the
reports. Therefore, consider who will read the report, who will benefit from the
analysis, what key points they are looking for, and what decisions they will make
with the analysis.
If the measure is artificial, the objective is to apply the quantification with con-
sistency to ensure results are comparable from person to person, team to team, and
time to time. Analysis may show levels of awareness and understanding, number
of installations, uptime of mechanisms, mean time between failures (MTBF), or
SLAs. Analysis may compare the security posture of one system to another system,
or compare the security posture of one location to another location.
The results of the analysis can distinguish who is performing well and who is not,
and who has the best compliance levels. An aggregation of multiple discovery efforts
may show the enterprise security posture. Performing the same discovery process 12
months later now provides the ability to compare results. Doing the same discovery
process year after year provides the ability to trend the security posture.
4.4.6
Report
The IAQP report process determines the target audience that will benefit from the
analysis, how will they benefit, and the report form, flow, and content for the audi-
ence to derive the most benefit. The target audience may be an executive desiring
charts with a bottom-line financial flavor or an operations line manager who desires
to modify workflow. The report process may describe report templates for various
audiences. You, the IA architect, use the IAQP to invent a quantification process.
Conveying the results of IA discovery and analysis is a challenge. An important
note: The IA reports are what the organization sees of IA. Your job as an IA archi-
tect is to develop a line of sight from business drivers to IA services and IA mecha-
nisms in operations. This is the opportunity to convey IA's business value in a
professional tone.
4.4.7
Feedback
Finally, consider how the quantification model will accept feedback from the target
entity for subsequent modification of the model.
The IAQP maps out how to quantify IA. The end result of the IAQP is the
articulation of what aspects of IA need to be measured, which may be measured,
what the metrics and measures are, how to obtain them, how to analyze and report
them, and what they mean to the organization.
