Home > Blog > CIS Security Metrics Available

CIS Security Metrics Available

The CIS has released a collection of metrics – CIS Security Metrics Guide (v. 1.0.0).  The project goal is to “develop a balanced combination of unambiguous and logically defensible outcome and practice metrics measuring” and to “utilize data commonly available in most enterprises.”

The following metrics are proposed and documented:

  • Application Security
    • Number of Applications
    • Percentage of Critical Applications
    • Risk Assessment Coverage
    • Security Testing Coverage
  • Configuration Change Management
    • Mean-Time to Complete Changes
    • Percent of Changes with Security Review
    • Percent of Changes with Security Exceptions
  • Financial
    • Information Security Budget as % of IT Budget
    • Information Security Budget Allocation
  • Incident Management
    • Mean-Time to Incident Discovery
    • Incident Rate
    • Percentage of Incidents Detected by Internal Controls
    • Mean-Time Between Security Incidents
    • Mean-Time to Recovery
  • Patch Management
    • Patch Policy Compliance
    • Patch Management Coverage
    • Mean-Time to Patch
  • Vulnerability Management
    • Vulnerability Scan Coverage
    • Percent of Systems Without Known Severe Vulnerabilities
    • Mean-Time to Mitigate Vulnerabilities
    • Number of Known Vulnerability Instance”

Download the metrics here or via direct PDF link.

Categories: Blog Tags:
  1. No comments yet.
  1. No trackbacks yet.