Radian Compliance » Blog Archive » Group to release uniform metrics to measure IT security

18Sep

Group to release uniform metrics to measure IT security
CIS also plans to launch services to help companies compare security efforts

By Jeremy Kirk

September 8, 2008 (IDG News Service) The Center for Internet Security (CIS) is set to release guidelines that enterprises can use to measure the state of their security, and it’s also preparing to launch a service to help companies compare their security performance with that of their peers.

The latest CIS project is designed to resolve the confusion and lack of uniformity in ways to measure whether an organization’s IT security is improving or not, said Bert Miuccio, CIS’s CEO.

"The problem that we’ve come to recognize is that information security professionals really are growing more confused on how to define success," Miuccio said. "They know that compliance with regulatory requirements, and audit frameworks do not necessarily result in improved security and are not the best measures of success."

CIS is a nonprofit group funded by a variety of organizations with an interest in security. Since it was formed in 2000, it has created 40 benchmarks for default security configurations for all kinds of software, including operating systems, middleware and network devices. The benchmarks, which are a free download on the CIS Web site, are intended to help organizations reduce IT security risks.

Every security professional has different definitions of how to evaluate organizational security, Miuccio said. To try to find common ground, CIS assembled 85 information security experts who will work together to identify uniform ways to measure eight different metrics. The metrics should be released in late October or early November, Miuccio said.

Two are "outcome" metrics: the mean time between security incidents and the mean time to recover from security incidents. The remaining six metrics are related to process: the percentage of systems configured according to approved standards; the percentage of systems patched according to policy; percentage of systems with antivirus technology; percentage of business applications that have a risk assessment; percentage of business applications that have a penetration or vulnerability assessment; and percentage of application code that have a security assessment or code review before deployment.

Along with the metrics, CIS plans to launch around the same time a software-based service for companies to compare how they are doing in terms of security compared with other anonymous companies in their vertical market. This type of comparison is already commonly used for financial results and other aspects of business performance such as customer service.

"That’s not done in information security today," Miuccio said. "We believe that this service will begin to enable that."

Reprinted with permission from

Leave a Comment

Name

Mail (will not be published)

Website

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.
Navigation:

Compliance Blog Home

About Radian Compliance
Category:

Business Continuity

BS 25999

Compliance Management

Risk Management

credit card industry

cybersecurity

E-Discovery

Events

General

Information Security

ISO 27001

IT Service Management

ISO 20000

Security and Privacy

Supply Chain Management
Archives:

2011

2010

2009

2008

2007

2006
Web Links:

Continuity Compliance

Illinois I.T. Association

Radian Compliance Main
Meta:

RSS

Comments RSS

Valid XHTML

XFN
© 2012 Radian Compliance, LLC. All Rights Reserved. Entries RSS Comments RSS Login

Group to release uniform metrics to measure IT security

CIS also plans to launch services to help companies compare security efforts

Leave a Comment

Navigation:

Category:

Archives:

Web Links:

Meta: