InfoSec Philippines

Information Security, Technology News and Opinions

CIS Consensus Security Metrics V.1.0.0

Posted by Jaime Raphael Licauco, CISSP, GSEC on August 27, 2009

In mid-May the Center for Internet Security, the same people that give us free benchmarks, released their Consensus Metric Definitions V.1.0.0. It’s a free 90 page pdf containing 20 Metric Definitions under 6 Business Functions.

The 6 Business Functions and the metric areas under them are as follows:

Incident Management
– Mean-Time to Incident Discovery
– Number of Incidents
– Mean-Time Between Security Incidents
– Mean-Time to Incident Recovery

Vulnerability Management
– Vulnerability Scanning Coverage
– Percent of Systems with No Known Severe Vulnerabilities
– Mean-Time to Mitigate Vulnerabilities
– Number of Known Vulnerabilities

Patch Management
– Patch Policy Compliance
– Patch Management Coverage
– Mean-Time to Patch

Application Security
– Number of Applications
– Percent of Critical Applications
– Risk Assessment Coverage
– Security Testing Coverage

Configuration Management
– Mean-Time to Complete Changes
– Percent of Changes with Security Reviews
– Percent of Changes with Security Exceptions

Financial Metrics
– IT Security Spending as Percentage of IT Budget
– IT Security Budget Allocation

CIS is currently defining additional consensus metrics, so more there will be more to follow. Please check out CIS’s document to find out how to measure the metrics mentioned above. It would be nice to see a mapping to ISO/IEC 27002:2005… just in case Metric Center’s Catalog doesn’t already have the above metrics. Metric Center’s mapping is the best mapping to ISO/IEC 27k2:2k5 that I’ve seen to date, and I’m hoping that they won’t start charging to check out their site in the future.


2 Responses to “CIS Consensus Security Metrics V.1.0.0”

  1. varian said

    I haven’t visited CIS website recently, glad to hear there is another resource for security metrics.

    Thanks Jim for the update. — is the other site I look at for security metrics.

  2. Claire said

    Great resource site on Information Security. I knew your name rang a bell somewhere. I came across this site several months ago. Most interesting for us is the Information Security Management System or ISO 27001/27002. Please keep it up. Thanks.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: