DB Quant: Manage Metrics, Part 3, Change Management

By Rich | June 25, 2010

Believe it or not, we are down to our final metrics post! We’re going to close things out today with change management – something that isn’t specific to security, but comes with security implications.

Our change management process is:

  1. Monitor

  2. Schedule and Prepare

  3. Alter

  4. Verify

  5. Document

Monitor

Variable
| Notes

—|—

Time to gather change requests

Time to evaluate each change request for security implications

Schedule and Prepare

VariableNotes
Time to map request to specific actions/scripts
Time to update change management system
Time to schedule downtime/maintenance window and communicate

Alter

VariableNotes
Time to implement change request

Verify

VariableNotes
Time to test and verify changes

Document

VariableNotes
Time to document changes
Time to archive scripts or backups
  1. An Open Metrics Model for Database Security: Project Quant for Databases
  2. Database Security: Process Framework
  3. Database Security: Planning
  4. Database Security: Planning, Part 2
  5. Database Security: Discover and Assess Databases, Apps, Data
  6. Database Security: Patch
  7. Database Security: Configure
  8. Database Security: Restrict Access
  9. Database Security: Shield
  10. Database Security: Database Activity Monitoring
  11. Database Security: Audit
  12. Database Security: Database Activity Blocking
  13. Database Security: Encryption
  14. Database Security: Data Masking
  15. Database Security: Web App Firewalls
  16. Database Security: Configuration Management
  17. Database Security: Patch Management
  18. Database Security: Change Management
  19. DB Quant: Planning Metrics, Part 1
  20. DB Quant: Planning Metrics, Part 2
  21. DB Quant: Planning Metrics, Part 3
  22. DB Quant: Planning Metrics, Part 4
  23. DB Quant: Discovery Metrics, Part 1, Enumerate Databases
  24. DB Quant: Discovery Metrics, Part 2, Identify Apps
  25. DB Quant: Discovery Metrics, Part 3, Config and Vulnerability Assessment
  26. DB Quant: Discovery Metrics, Part 4, Access and Authorization
  27. DB Quant: Secure Metrics, Part 1, Patch
  28. DB Quant: Secure Metrics, Part 2, Configure
  29. DB Quant: Secure Metrics, Part 3, Restrict Access
  30. DB Quant: Monitoring Metrics: Part 1, Database Activity Monitoring
  31. DB Quant: Monitoring Metrics, Part 2, Audit
  32. DB Quant: Protect Metrics, Part 1, DAM Blocking
  33. DB Quant: Protect Metrics, Part 2, Encryption
  34. DB Quant: Protect Metrics, Part 3, Masking
  35. DB Quant: Protect Metrics, Part 4, WAF

1 Comment

d
ds 2010-06-29
Who on earth is going to take the time to collect the data to derive these metrics from, and have you covered the basic fundamentals of metrics anywhere such as "easy to collect"? (If so, I've likely missed it in the deluge of posts in this category) Maybe I'm missing something, but where is the value in these metrics that will drive me to go to that effort? I wish that you would focus more on how to select metrics that will gain executive attention and actually drive the security program forward rather than this very detailed listing of technical metrics that seem to be devolving into navelgazing.