Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, September 10, 2008

CIS looks to community for security metrics

The Center for Internet Security (CIS) announced that the group would work with a community of security professionals to create a set of eight metrics to help companies measure their progress in locking down their networks.  The project—which distills the recommendations of 85 security experts from government, industry and academia—aims to give companies a single set of data points to track their organization’s security over time and to collect information in a consistent manner, said Bert Miuccio, CEO of the Center for Internet Security.

To measure a company’s ability to deal with security incidents, the group suggested that companies measure the mean time between security incidents and the mean time to recover from security incidents.

As an indicator of a company’s network security readiness, companies should measure the fraction of systems configured to approved standards, the fraction of systems patched as per corporate policy, and the fraction of systems with antivirus software, CIS stated.

Finally, companies should review their software applications for potential security issues by measuring the fraction of business applications that have had a risk assessment, the fraction with a penetration or vulnerability assessment and the fraction of application code that had a threat-model analysis or security code review prior to deployment.

Posted on 09/10