Operational Effectiveness

Oper'al Effectiveness

Home	About Gamma	Tour our Web Site	Events	White Papers	Services	Visitors' Book	How to contact us
			IMS	Internal Control	ISMS	Smart Cards	Common Criteria

Objective

Management needs to know whether or not the current ICS, i.e. the one actually in place and working now, is achieving the objectives they want, irrespective of what else is happening in the world. In other words, the measurement should not be conditional on whether or not anyone is trying to attack the organisation or defraud it, etc., how frequent those events or how damaging the resulting impacts might be. They therefore need a measure of the ICS which is direct (i.e. it is a measurement performed on the actual implementation, rather than the design) and is independent of what the world is doing. We refer to this as operational effectiveness. We have identified the metrics in our fundamental model. They are the time parameters:

The time of detection (TD if detected by the ICS, or if detected by some other means TM, e.g. reported in a newspaper)
The time that the damage caused by the event is fixed (TF), should it be possible and appropriate to fix it, or otherwise resolve the problem
The time limit after which (TW), if the damage is not fixed, an impact penalty is incurred.

Measuring

Measurement of operational effectiveness is straightforward. It takes the form of: Determining the actual control class of each control, using Table 2 (see insert right) Applying the criteria specified in Table 3 (see insert below).	Your browser does not support inline frames or is currently configured not to display inline frames.
Your browser does not support inline frames or is currently configured not to display inline frames.

A Worked Example

Consider a small software company that produces bespoke software system for its clients. The company relies on an ICS that is predicated solely on program testing. In particular, there are no formal design/code reviews. There is a reliable backup system that verifies that backups are restorable and complains if they are not. However, there is no BCP covering anything outside of IT. What is the operational effectiveness of this approach?

A typical development schedule is shown in Figure 8. The "program testing" control takes effect late on in the schedule. It may start to identify problems as early on as month 6, but some problems might not be detected until month 12. If the control identifies a top level design error then the later it is detected the greater the chance that it will be too late to do anything about it before the expiry of the time window, which we will associate with the end of the development period. Thus, the "program testing" control is Class 2, potentially downgrading to Class 4. It does not tell you if it fails to find an error and therefore it is not self-policing. The backup control, however, is self-policing but is not fail-safe.

Figure 8: A typical development schedule

We have a self-policing procedure (R1 satisfied, score 3). There is nothing to suggest that there is a majority of Class 2 detective procedures, but the control under discussion is Class 2 degradable (S1 satisfied, score 3). We have a BCP (A1 satisfied, score 3). The total score is 9 and therefore we can rank the ICS as Category A.


Gamma is an ISO/IEC 27001:2005 and BS EN ISO 9001: 2000 registered company, certified for the provision of information security consultancy. BSI certificate numbers IS 85916 and FS 30710. Please send comments to webmaster@gammassl.co.uk or complete our Visitors'Book. Gamma Secure Systems, Diamond House, Frimley Road, Camberley, Surrey, GU15 2PS, UK Tel: +44 1276 702500 - Fax: +44 1276 692903. Copyright © Gamma Secure Systems Limited 2004

	Page last updated: 18 March, 2004