Here's my 2 cents.. It has helped me to stay within these guidelines.
Keep it short one to one and half page.
Keep it in PAR format. (Problem Action Resolution)
In your PAR touch on Risk to critical IO. (information Object)
In your PAR touch on BIA of the weekly or monthly tasks that were performed.
(Business impact analysis)
In your PAR articulate the proactive tasks and try to minimize the reactive
tasks.
It would also help if you previously had done RA, BIA and IO classifications
and categorization.
HTH
Regards,
Gary Everekyan
CISSP, CISM, ISSAP,ISSPCS, ITILp, MCSE, MCT
Information Security and Audit
"High achievement always takes place in the framework of high expectation" -
Jack Kinder
-----Original Message-----
From: Crayola [mailto:crayola@optonline.net]
Sent: Monday, April 03, 2006 11:36 PM
To: security-management@securityfocus.com
Subject: Reports for Exec Management
I need to begin putting together monthly reports for executive management
(CEO) that show the value that the Information Security department is
providing to the company. The execs know what we do, my senior mgmt feels we
need to broadcast the value Infosec provides.
I know a couple things about exec reports.. keep them short (one page),
never propose a need without an answer, and huge IDS numbers will scare them
needlessly. How can I show value without being alarmist? If I say that we
successfully blocked over 1.5 million attacks last month they'll have a
heart attack.
What do ya'll provide to your execs? Its tough to show the value of what you
do when that value consists of potentially making something not happen
(security incident).
Thanks,
Mike
