Friday, June 26, 2009

CIS Metrics Fun Continues

CIS Security Metrics Guide (v. 1.0.0)  has been out for a while, I just forgot to announce it here on my blog. The document is definitely a work in progress and the team (myself included) has a lot to do to make it better; some metrics might even change and new ones added. BTW, the project goal was to “develop a balanced combination of unambiguous and logically defensible outcome and practice metrics measuring” and also to “utilize data commonly available in most enterprises.”  Since I consider security and information risk management metrics  to be one of the most important security challenges, I was very excited to help with this guide.

Here is the list of domains and metrics from the CIS site; it contains a mix of technical (automatable) and non-technical metrics:

“Currently, the consensus group has developed metrics covering the following business functions:

  • Application Security
    • Number of Applications
    • Percentage of Critical Applications
    • Risk Assessment Coverage
    • Security Testing Coverage
  • Configuration Change Management
    • Mean-Time to Complete Changes
    • Percent of Changes with Security Review
    • Percent of Changes with Security Exceptions
  • Financial
    • Information Security Budget as % of IT Budget
    • Information Security Budget Allocation
  • Incident Management
    • Mean-Time to Incident Discovery
    • Incident Rate
    • Percentage of Incidents Detected by Internal Controls
    • Mean-Time Between Security Incidents
    • Mean-Time to Recovery
  • Patch Management
    • Patch Policy Compliance
    • Patch Management Coverage
    • Mean-Time to Patch
  • Vulnerability Management
    • Vulnerability Scan Coverage
    • Percent of Systems Without Known Severe Vulnerabilities
    • Mean-Time to Mitigate Vulnerabilities
    • Number of Known Vulnerability Instance”

Download the metrics here or direct PDF link. BTW, the Quick Start Guide to launch your metrics program using CIS Security Metrics is coming soon. Also, a global data sharing project based on these metrics may be launched in the future.


Dr Anton Chuvakin