2. 1. 2. 3. 4. 5. 6. , : ( , ). : (ISO 9001/20000/22301/27001, ITIL, COBIT, ) 3. 1. ! ! ( ) / 4. ? , ISO 27001 , ( , , , ) ? ( ) ( , , ; ; ; ; ; ) ? : ( ), , (+ ), ? 5. : , (, , , , , /, , .), , , / , : 1 (200$ 40$ )*- 10-20% (Forrester) CLV (Client Lifetime Value) * (~30%) ? . ? 6. - > , . : () . 2. 7. ( ) ( ) , ( , , ) , , : (Executive Summery) 3. 8. ISO 27001: , , ( ). : ISO 27005, ISO 27003, ISO 27004 (14 ) NIST COBIT5 , 4. ISO NIST COBIT5 9. : 5. : , ? 10. , () KPI KPI , KPI ( 20 , 10) ( , , ) 6. 11. 1. ? 2. 3. 4. 5. 2 , : 12. , 0.Incomplete 1.Performed 2.Managed 3.Established 4.Predictable 5.Optimising 13. http://www.infowatch.ru @InfoWatchNews http://dlp-expert.ru @DLP_Expert http://80na20.blogspot.ru @3dwave 14. Number of records or files detected as compliance infractions Percentage of software applications tested Reduction in the frequency of denial of service attacks Reduction in regulatory actions and lawsuits Reduction in expired certificates (including SSL and SSH keys) Mean time to detect security incidents Reduction in the number of threats Reduction in the cost of cyber crime remediation Percentage of recurring incidents Percentage of incidents detected by automated control Performance of users on security training retention tests Time to contain data breaches and security exploits Reduction in the number or percentage of end user enforcement actions Reduction in loss of data-bearing devices (laptops, tablets, smartphones) : Reduction in the cost of security management activities Length of time to implement security patches Spending level relative to total budget Percentage of endpoints free of malware and viruses Number of end users receiving appropriate training Reduction in unplanned system downtime Reduction in number of access and authentication violations Reduction in the total cost of ownership (TCO) Return on security technology investments (ROI) Reduction in number of known vulnerabilities Reduction in number of data breach incidents Reduction in number of percentage of policy violations Reduction in audit findings and repeat findings Number of security personnel achieving certification The State of Risk-Based Security 2013 (Tripwire) U.S. U.K.