- Saturday June 27th, 2009
The CIS has released a collection of metrics - CIS Security Metrics Guide (v. 1.0.0). The project goal is to develop a balanced combination of unambiguous and logically defensible outcome and practice metrics measuring and to utilize data commonly available in most enterprises. The following metrics are proposed and documented:
-
Application Security
- Number of Applications
- Percentage of Critical Applications
- Risk Assessment Coverage
- Security Testing Coverage
-
Configuration Change Management
- Mean-Time to Complete Changes
- Percent of Changes with Security Review
- Percent of Changes with Security Exceptions
-
Financial
- Information Security Budget as % of IT Budget
- Information Security Budget Allocation
-
Incident Management
- Mean-Time to Incident Discovery
- Incident Rate
- Percentage of Incidents Detected by Internal Controls
- Mean-Time Between Security Incidents
- Mean-Time to Recovery
-
Patch Management
- Patch Policy Compliance
- Patch Management Coverage
- Mean-Time to Patch
-
Vulnerability Management
- Vulnerability Scan Coverage
- Percent of Systems Without Known Severe Vulnerabilities
- Mean-Time to Mitigate Vulnerabilities
- Number of Known Vulnerability Instance
Download the metrics here or via direct PDF link.
blog comments powered by Disqus
