CIS Security Metrics Available
The CIS has released a collection of metrics – CIS Security Metrics Guide (v. 1.0.0). The project goal is to “develop a balanced combination of unambiguous and logically defensible outcome and practice metrics measuring” and to “utilize data commonly available in most enterprises.”
The following metrics are proposed and documented:
- Application Security
- Number of Applications
- Percentage of Critical Applications
- Risk Assessment Coverage
- Security Testing Coverage
- Configuration Change Management
- Mean-Time to Complete Changes
- Percent of Changes with Security Review
- Percent of Changes with Security Exceptions
- Financial
- Information Security Budget as % of IT Budget
- Information Security Budget Allocation
- Incident Management
- Mean-Time to Incident Discovery
- Incident Rate
- Percentage of Incidents Detected by Internal Controls
- Mean-Time Between Security Incidents
- Mean-Time to Recovery
- Patch Management
- Patch Policy Compliance
- Patch Management Coverage
- Mean-Time to Patch
- Vulnerability Management
- Vulnerability Scan Coverage
- Percent of Systems Without Known Severe Vulnerabilities
- Mean-Time to Mitigate Vulnerabilities
- Number of Known Vulnerability Instance”
Categories: Blog