The only way to avoid spending most of your day generating custom reports is to develop a robust, well-organized reporting system. If we look at the requests for information closely, most of the requests are for the same information, but sliced and diced in different ways.

Every security group should initiate a formal project to proactively identify your customers and define their information requirements. Map those to monitoring and reporting systems, and organize them into like categories to build the foundation of your security metrics reporting system. I have utilized six basic categories.

The first is information security policies and standards. Policies and standards are living documents that collect and report information. A mapping of the policies and standards to a generally accepted standard, such as CobiT or ISO 17799, will greatly facilitate the communication of information to auditors and regulators.

Next, organize and report on the security architectures and processes that support your organization. Many critical processes, such as patch management, are of great interest to management.

Security-related products are required to support and monitor the operating environment, but are not easily understood by executive management. Clearly define the use and purpose of these systems in business language whenever possible.

The fourth category, information security auditing and monitoring reports, provide information that is collected and distributed to appropriate management. Perimeter connections to the network must also be monitored for unauthorized activities. While we generally create reports for and monitor many systems, we do not always map to the reason why we are putting forth the effort. Map the activities to policies, procedures and audit standards whenever possible.

Finally, feedback is a critical component of any information security infrastructure. Mechanisms for continuous feedback must be implemented. Track metrics related to the progress of security initiatives.

The creation and population of categories of like information with different views into the information is core to the reporting process. The creation of a suitable system for your organization will ultimately facilitate the reporting load that will only get greater in the future.

30 Seconds On...