Security Metrics Consensus Team Progress
A team of more than 100 government, private, and academic experts are working to reach consensus on a small initial set of security outcome and practice metrics. At present these security metrics are in final draft. They represent outcome and practice areas of security regarded by the consensus group as important, but they are subject to further refinement by the group.
Currently, the consensus group has developed metrics covering the following business functions:
- Application Security
- Number of Applications
- Percentage of Critical Applications
- Risk Assessment Coverage
- Security Testing Coverage
- Configuration Change Management
- Mean-Time to Complete Changes
- Percent of Changes with Security Review
- Percent of Changes with Security Exceptions
- Financial
- Information Security Budget as % of IT Budget
- Information Security Budget Allocation
- Incident Management
- Mean-Time to Incident Discovery
- Number of Incidents
- Percentage of Incidents Detected by Internal Controls
- Mean-Time Between Security Incidents
- Mean-Time to Recovery
- Patch Management
- Patch Policy Compliance
- Patch Management Coverage
- Mean-Time to Patch
- Mean-Time to Patch Critical Patches
- Vulnerability Management
- Vulnerability Scan Coverage
- Percent of Systems Without Known Severe Vulnerabilities
- Number of Known Vulnerability Instances
Metrics Schema
A security metrics schema has been developed that will serve as a structure for the final definition of each metric so that terms, definitions, and computational aspects are unambiguous.
Future Benefits of the Planned CIS Information Security Metrics Service
'Hacking' 카테고리의 다른 글
| CIS benchmarks (0) | 2009.02.06 |
|---|---|
| Below is a list of resources you've selected: (0) | 2009.02.06 |
| CIS BenchMark (0) | 2009.02.06 |
| CIS BenchMark (3) | 2009.02.06 |
| Security Checklists (0) | 2009.02.06 |
