ESPIRIA'S SECURCOMPASS^® SECURITY RATING MEASUREMENT MODULE

What is SecurCompass?

SecurCompass is a standards-based web application used to measure and plan security initiatives.

What is the purpose of the Measurement module?

The measurement module is a subset of the other Espiria SecurCompass offerings and is MEASUREMENT ONLY. That is, it allows an organization to get a taste of what it would be like to measure and plan strategically, allowing a positive management-level view of an organization's level of security, reasonable goals for security, and a plan to measure progress towards security over time.

Why would an organization use this method to evaluate their security?

The SecurCompass measurement process uses a form of online survey to ask individuals in an organization about their level of security. From this information, management can understand their current state of security, relative ranking compared to their peers, and tasks needed to improve their level of security. This method helps to paint a strategic picture of the road to security. It also allows an organization to re-measure over time and see their level of progress. It often satisfies third-party audit requirements.

What is used to measure the level of security?

The online survey uses several industry standards, regulatory concerns, and specifications. They include:

• ISO17799
• HIPAA Security
• GLBA
• 21 CFR Part 11
• BITS
• NIST

These specifications allow Espiria to use best-of-breed elements to help evaluate your level of security. While no specification provides a comprehensive look at security, Espiria has combined several of the standards and regulatory requirements, created a relative ranking system from 0 to 5, and divided them into seven common categories. This allows a standards-neutral assessment of an organization that is not based on one potential stance on security, but on several. Espiria then combines these measurements with their experience and builds a prioritized list of actions that can help strategically improve your level of security.

What areas are measured?

There are seven categories addressed:

• Security Planning: items to plan secure operations into the corporate infrastructure, including such issues as effective network design and architecture, BCP, and disaster recovery.
  
  
• Security Policy: policy statements that serve as a guide to secure operations across the environment including such things a data handling guidelines, policy management, and encryption policy.
  
  
• Security Management: items that ensure effective management of the security ensure and infrastructure, such as internal audits or assessments, security awareness, change control, and roles and responsibilities.
  
  
• Security Administration: elements of the security program administration such as system and user administration, backups, technical training, and system standards.
  
  
• Security Infrastructure: items that support effective technical operations such as application security, authentication, virus protection and control of routers, firewalls and switches.
  
  
• Security Monitoring: items that support ongoing monitoring of the organization's security such as intrusion detection systems, incident response protocols, and log audits.
  
  
• Physical Security: items that protect the physical environment or personnel, systems and information.
  
  

What will we get when we are done?

This version of the module is MEASUREMENT ONLY. While you still invest the front-end six to eight hours (this process is NOT for the faint of heart), the results produced are a sampling** only of the results produced by the Measurement & Planning modules. For 60 days following the completion of this measurement, you will have the opportunity to upgrade to the full package of deliverables - just a click away. You receive the same package of reports, however some are samples rather than the comprehensive report. The reports are:

• An executive summary
• A numerical measurement of your relative level of security
• Comparison benchmarks to show comparable industry measurements and averages
• Graphical depictions of measurements and benchmark
• A sampling** (using your data) of observations on the areas that need improvement
• A sampling** (using your data) of severity of issues and recommendations for improvement
• A high-level program plan for the sampling to help organize your security program
• A sampling** of your level of ISO 17799 security compliance
• A sampling** of your level of HIPAA security compliance

The results are produced automatically upon finalization, and provided via the Web in an rtf document.

Is there anything else I should keep in mind?

Security is serious business. For meaningful results, a commitment is required on the front end. To get good results that truly represent the state of your security and measure your compliance with standards and regulations, specific information is required. You invest significant time on a serious issue and in return, get useful, specific, detailed reports you can use to help you build your strategy, identify tasks, work on the right initiatives, and get the support (budgetary and resources) you need to keep your environment secured to the appropriate level for your business.

Get a taste of what it would be like to measure and plan strategically. To take advantage of this innovative assessment tool, become a CSI Member today.

Already a CSI Member? You will receive an activation code upon renewal, or contact CSI Membership Customer Service at csimember@espcomp.com, phone 866-271-8529.

Log in to Espiria website with activation code (www.espiria.com/csi)