The CIS has released a collection of metrics – CIS Security Metrics Guide (v. 1.0.0).  The project goal is to “develop a balanced combination of unambiguous and logically defensible outcome and practice metrics measuring” and to “utilize data commonly available in most enterprises.”

The following metrics are proposed and documented:

• Application Security
  • Number of Applications
  • Percentage of Critical Applications
  • Risk Assessment Coverage
  • Security Testing Coverage
• Configuration Change Management
  • Mean-Time to Complete Changes
  • Percent of Changes with Security Review
  • Percent of Changes with Security Exceptions
• Financial
  • Information Security Budget as % of IT Budget
  • Information Security Budget Allocation
• Incident Management
  • Mean-Time to Incident Discovery
  • Incident Rate
  • Percentage of Incidents Detected by Internal Controls
  • Mean-Time Between Security Incidents
  • Mean-Time to Recovery
• Patch Management
  • Patch Policy Compliance
  • Patch Management Coverage
  • Mean-Time to Patch
• Vulnerability Management
  • Vulnerability Scan Coverage
  • Percent of Systems Without Known Severe Vulnerabilities
  • Mean-Time to Mitigate Vulnerabilities
  • Number of Known Vulnerability Instance”

Download the metrics here or via direct PDF link.

• Previous Entry: Reductive Labs scores $2M for Puppet IT automation tool | VentureBeat
• Next Entry: Hudson and Amazon EC2 – the sequel