New metrics to help measure enterprise security

Published 8 September 2008

A non-profit IT security organization is working toward releasing a set of metrics for enterprises to measure the effectiveness of their security controls

The Center for Information Security (CIS) has said it is in the process of developing evaluation metrics and enterprise benchmarking services to help measure security controls. The organization already develops free IT security benchmarks and scoring tools for individual software and network device components. These new benchmarks, however, are intended to help enterprises measure broader management issues, like patching and recovery times.

ITPro’s Miya knights quotes Bert Miuccio, CIS’ chief executive, to say that organizations were struggling “to understand the value of security investments, in terms of outcomes, to determine the security status of an enterprise.” CIS has teamed up with eighty-five information security professionals to develop eight principle metric areas, which are set for release in October. They cover average times between security incidents and recovery times, as well as process improvement around patching, configuration standards compliance, risk assessment and anti-virus coverage, among others.

A new Web-based service will complement the metrics by allowing organisations to anonymously measure their performance against others in their vertical market. Miuccio added that the new IT security management metrics were intended to complement existing information security guidelines and standards, like the U.S. National Security Agency’s Information Security Assurance Capability Maturity Model (IA-CMM) and the various accreditations developed by the International Organisation for Standardisation (ISO).