CIS Security Metrics Available

The CIS has released a collection of metrics - CIS Security Metrics Guide (v. 1.0.0). The project goal is to develop a balanced combination of unambiguous and logically defensible outcome and practice metrics measuring and to utilize data commonly available in most enterprises. The following metrics are proposed and documented:

• Application Security

  • Number of Applications
  • Percentage of Critical Applications
  • Risk Assessment Coverage
  • Security Testing Coverage

• Configuration Change Management

  • Mean-Time to Complete Changes
  • Percent of Changes with Security Review
  • Percent of Changes with Security Exceptions

• Financial

  • Information Security Budget as % of IT Budget
  • Information Security Budget Allocation

• Incident Management

  • Mean-Time to Incident Discovery
  • Incident Rate
  • Percentage of Incidents Detected by Internal Controls
  • Mean-Time Between Security Incidents
  • Mean-Time to Recovery

• Patch Management

  • Patch Policy Compliance
  • Patch Management Coverage
  • Mean-Time to Patch

• Vulnerability Management

  • Vulnerability Scan Coverage
  • Percent of Systems Without Known Severe Vulnerabilities
  • Mean-Time to Mitigate Vulnerabilities
  • Number of Known Vulnerability Instance

Download the metrics here or via direct PDF link.