InfoSec Philippines

Information Security, Technology News and Opinions

Posts Tagged ‘Center for Internet Security’

CIS Consensus Security Metrics V.1.0.0

Posted by Jaime Raphael Licauco, CISSP, GSEC on August 27, 2009

In mid-May the Center for Internet Security, the same people that give us free benchmarks, released their Consensus Metric Definitions V.1.0.0. It’s a free 90 page pdf containing 20 Metric Definitions under 6 Business Functions.

The 6 Business Functions and the metric areas under them are as follows:

Incident Management
– Mean-Time to Incident Discovery
– Number of Incidents
– Mean-Time Between Security Incidents
– Mean-Time to Incident Recovery

Vulnerability Management
– Vulnerability Scanning Coverage
– Percent of Systems with No Known Severe Vulnerabilities
– Mean-Time to Mitigate Vulnerabilities
– Number of Known Vulnerabilities

Patch Management
– Patch Policy Compliance
– Patch Management Coverage
– Mean-Time to Patch

Application Security
– Number of Applications
– Percent of Critical Applications
– Risk Assessment Coverage
– Security Testing Coverage

Configuration Management
– Mean-Time to Complete Changes
– Percent of Changes with Security Reviews
– Percent of Changes with Security Exceptions

Financial Metrics
– IT Security Spending as Percentage of IT Budget
– IT Security Budget Allocation

CIS is currently defining additional consensus metrics, so more there will be more to follow. Please check out CIS’s document to find out how to measure the metrics mentioned above. It would be nice to see a mapping to ISO/IEC 27002:2005… just in case Metric Center’s Catalog doesn’t already have the above metrics. Metric Center’s mapping is the best mapping to ISO/IEC 27k2:2k5 that I’ve seen to date, and I’m hoping that they won’t start charging to check out their site in the future.

Posted in Metrics | Tagged: , | 2 Comments »