The CIS has released a collection of metrics – CIS Security Metrics Guide (v. 1.0.0). The project goal is to “develop a balanced combination of unambiguous and logically defensible outcome and practice metrics measuring” and to “utilize data commonly available in most enterprises.”
The following metrics are proposed and documented:
- Application Security
- Number of Applications
- Percentage of Critical Applications
- Risk Assessment Coverage
- Security Testing Coverage
- Configuration Change Management
- Financial
- Incident Management
- Mean-Time to Incident Discovery
- Incident Rate
- Percentage of Incidents Detected by Internal Controls
- Mean-Time Between Security Incidents
- Mean-Time to Recovery
- Patch Management
- Vulnerability Management
- Vulnerability Scan Coverage
- Percent of Systems Without Known Severe Vulnerabilities
- Mean-Time to Mitigate Vulnerabilities
- Number of Known Vulnerability Instance”