The Center for Internet SecurityThe Center for Internet Security Site MapContact UsPrivacy Policy
The Center for Internet Security
HomeNewsWhat is CIS?Benchmarks/ToolsOther ResourcesJoin UsTestimonialsFAQ
CIS Members site

Become a Member of CIS - Click here for more info

More than 170 members, from around the wrold! Click here for more info

Get Involved - Click here for more info



CIS certifies commercial software. Click here for more info

CIS licenses resources for commercial use. Click here for more info.

click here to find out about CIS trademarks.

Click here to find out about upcoming conferences and events!
CIS Consensus Information Security Metrics Service
Organizations struggle to make cost-effective security investment decisions; information security professionals lack widely accepted and unambiguous metrics for decision support. CIS has established a consensus group of industry experts to address this need. The results will be:

  • An independent, consensus metric framework, and;
  • A service to define, collect and analyze data on security process benefits and outcomes.
Initial Scope
Key criteria were established for the initial set of consensus metrics. They are a balanced combination of outcome and practice metrics measuring:

  1. The frequency and severity of security incidents;
  2. Incident recovery performance, and;
  3. Use of security practices generally regarded as effective.
Developing metrics that utilize data commonly available in most enterprises is recognized as a practical consideration.
Security Metrics Consensus Team Progress
A team of more than 80 government, private, and academic experts are working to reach consensus on a small initial set, fewer than ten (10), of security outcome and practice metrics. At present these are only concepts, not fully and unambiguously defined metrics. They represent outcome and practice areas of security regarded by the consensus group as important, but they are subject to further refinement by the group.

Currently, the consensus group agreed to develop metrics in the following conceptual areas:

Outcomes

Mean-Time Between security incidents
Mean-Time To Recovery from security incidents

Processes and Practices

% of systems configured to approved standards
% of systems patched to policy
% of systems with anti-virus protection
% of business applications that underwent risk assessment
% of business applications that underwent penetration or vulnerability assessment
% of application code that underwent security assessment, threat model analysis, or code review prior to production deployment

Metric Schema

A security metrics schema has been developed that will serve as a structure for the final definition of each metric so that terms, definitions, and computational aspects are unambiguous.
Future Benefits of the Planned CIS Information Security Metrics Service

Once a significant volume of outcome metrics data is available, a number of important purposes will be served:

  1. The ability for enterprises to compare their outcomes against the distribution curves derived from data populated by other entities, thus creating an intrinsic improvement mechanism by invoking the desire to remain competitive and innovative.

  2. The understanding of practical benefits and effectiveness of “best practices” such as monitoring information flows, risk assessment models, patching, configuration, and maturity models, as they affect the reduction of the frequency and impact of security incidents. In that respect, business outcome metrics will serve as the learning and feedback loop that is currently missing from these practices.

  3. The provision of a rational basis for formulating information security strategy, analyzing its implementation, and making cost-effective security investments.
For More Information

If you are interested in actively participating as a member of the virtual, CIS Security Concensus Metrics Team or have questions, please contact  Steven Piliero.

 




Logo and Design by Keiler
© 2005, the Center for Internet Security.