News

Group To Release Metrics To Measure IT Security

The Center for Information Security will soon release guidelines for how enterprises can measure the state of their organization's security

By Jeremy Kirk, IDG News Service (London Bureau)

September 08, 2008CSO

The Center for Information Security (CIS) is set to release guidelines for how enterprises can measure the state of their organization's security and launch a service for companies to compare their performance with their peers.

The latest CIS project is aimed at resolving the confusion and lack of uniformity in ways to measure whether an enterprise or organization's IT security is improving or not, said Bert Miuccio, CIS's CEO.

"The problem that we've come to recognize is that information security professionals really are growing more confused on how to define success," Miuccio said. "They know that compliance with regulatory requirements and audit frameworks do not necessarily result in improved security and are not the best measures of success."

CIS is a nonprofit organization funded by enterprises and other organizations with an interest in security. Since it was formed in 2000, it has created 40 benchmarks for default security configurations for software ranging from operating systems to middleware to network devices. The benchmarks, which are a free download on the CIS Web site, are intended to help organizations reduce IT security risks.

Every security professional has different definitions for how to evaluate security measures, Miuccio said. CIS has assembled 85 information security experts to agree upon methods to measure eight different metrics. The metrics should be released in late October or early November, Miuccio said.

Two are "outcome" metrics: the mean time between security incidents and the mean time to recover from security incidents. The remaining six are related to process: the percentage of systems configured to approved standards; the percentage of systems patched to policy; percentage of systems with antivirus technology; percentage of business applications that has a risk assessment; percentage of business applications that has a penetration or vulnerability assessment; and percentage of application code that has a security assessment or code review before deployment.

Along with the metrics, CIS plans to launch around the same time a software-based service for companies to compare how they are doing, in terms of security, against other anonymous companies in their market vertical. This type of comparison is already commonly used for financial results and other aspects of business performance such as customer service.

"That's not done in information security today," Miuccio said. "We believe that this service will begin to enable that."

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
The Surest Path to Effective and Efficient Compliance

VeriSignIn this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.

» View the webcast

Featured Sponsors
Sponsored Links

Think your data is safe? Think again. It's time to Outthink the Threat. Get eBook now

Ponemon Study: How Much Does a Data Breach "Cost"?

Data Protection: Challenges for the Traveling User

Envision Identity-Based Access Control for the Datacenter

IT Service Management: Metrics That Matter

Configuration Audit and Control for Virtualized Environments

The PCI Data Security Standard

Configuration Audit and Control for Virtualized Environments

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Envision Identity-Based Access Control for the Datacenter

Using Likewise to Comply with PCI Data Security Standard

Solving Online Credit Fraud Using Device Reputation

Take our CSO role survey and receive a copy of the results

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

Learn how the new Quad-Core AMD Opteron™ processor improves performance

Revolutionizing Endpoint Security with a Single Agent

Prepare for (ISC)2® Certification With Villanova - Online

Key strategies for C-level executives and security staff

Configuration Assessment: Choosing the Right Solution

ITCi White Paper: Challenges and Opportunities of PCI

Effective Security with a Continuous Approach to ISO 27001 Compliance

Rolling the dice with your security? Take the Self-Assessment Test now

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

Digital Identity Protection and Data Security Get Personal

The Case for Business Software Assurance ~ Securing Your Applications

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage