CIS Security Metrics Available


The CIS has released a collection of metrics - CIS Security Metrics Guide (v. 1.0.0). The project goal is to develop a balanced combination of unambiguous and logically defensible outcome and practice metrics measuring and to utilize data commonly available in most enterprises. The following metrics are proposed and documented:

  • Application Security

    • Number of Applications
    • Percentage of Critical Applications
    • Risk Assessment Coverage
    • Security Testing Coverage
  • Configuration Change Management

    • Mean-Time to Complete Changes
    • Percent of Changes with Security Review
    • Percent of Changes with Security Exceptions
  • Financial

    • Information Security Budget as % of IT Budget
    • Information Security Budget Allocation
  • Incident Management

    • Mean-Time to Incident Discovery
    • Incident Rate
    • Percentage of Incidents Detected by Internal Controls
    • Mean-Time Between Security Incidents
    • Mean-Time to Recovery
  • Patch Management

    • Patch Policy Compliance
    • Patch Management Coverage
    • Mean-Time to Patch
  • Vulnerability Management

    • Vulnerability Scan Coverage
    • Percent of Systems Without Known Severe Vulnerabilities
    • Mean-Time to Mitigate Vulnerabilities
    • Number of Known Vulnerability Instance

Download the metrics here or via direct PDF link.