Be Your Organization’s Security & Compliance Goalie

Security and Compliance GoalsI recently wrote about how to get your company to commit to improving its security and compliance by starting at the top and getting top brass buy-in. But once you’ve got agreement that your organization wants everyone to participate in improving data security and compliance, how do you translate that to reasonable goals that every department can relate to? And how do you pick goals and metrics that align with the major standards you need to meet, such as HIPAA, FISMA, FIPS 140-2, PCI-DSS and Safe Harbor provisions?

Most of the research on improving security—and indeed, in any type of measurement-by-objectives program—says that for success, your goals need to be clear, attainable and measurable. But how do you know what individual department goals should be? And how do you figure out what to monitor, how to do it, and how often to measure effectiveness variables?

Luckily, you don’t have to reinvent the wheel. Courtesy of the SANS Institute, which provided much of this information, here are a few common types of security goals and evaluation criteria you can set up for different parts of your company, summarized in the following checklist.

Checklist: How to Measure Important Security Effectiveness Goals

Security Monitoring and Effectiveness Checklist

It might seem a bit daunting to set up procedures, training and measurement criteria for your company and monitor how well you’re doing. But it is much easier to be proactive and enlist the support of all the employees in your company to take responsibility for their part in creating data security and compliance than it is to have to ask those same people to help with major damage control later— after the company’s reputation and data have been severely compromised. You can pay for security now, or you can pay a lot more later. It takes some consideration, resources and investment upfront, but the corporate payoff will be invaluable.

Mike McAlpen


Mike McAlpen is the Executive Director of Security and Compliance at 8x8, one of the largest US VoIP providers for business. Prior to this, Mike was a business leader with Visa, Inc. Global Information Security and Compliance. Before this Mike was a leader in HP Professional Services Information Security, CIO/CISO Advisory and other services for nearly 12 years. Mike is a frequent Information Security speaker, a three-term IT Services Management Foundation President, on the Board of Directors of the Silicon Valley ISSA, and active in ISACA, FBI/DHS InfraGard, U.S. Secret Service’s Cyber Crime Task Force and the American Bar Association Science and Technology Section’s Information Security Committee. [...] Read More >

  • icon-gray-linkedin.png