From: Jose Varghese (jose.varghese@paladion.net)
Date: Fri Jul 29 2005 - 04:13:09 EDT
Hi,
Implementing a security metrics program will assist in measurement of
security level. Essentially this involves
1. Identify key aspects (PPT - people , process and technology)which
contribute to security
2. Identify the elements( e.g. firewalls, anti-virus, security-awareness
programs ) in PPT that contribute to security
3. Identify the parameters within each area( e.g. number of machines without
latest anti-patterns, number of users trained on security )that needs to be
measured
4. Identify the methods for objective measurement of defined parameters
5. Define criteria for interpreting the values that are measured
There are several ways to go about defining metrics including
top-down(Define/list objectives of the overall and then identify metrics
that would indicate
progress toward each objective) and bottoms-up (Identify measurements that
are/could be
collected for specific processes).
Within metrics we have different categories like leading and lagging as
defined in KPI and KGI of CoBIT.
Rolling out a security metrics program is quite challenging; yet its worth
the effort.
SANS also has an good write-up on the same at
http://www.sans.org/rr/whitepapers/auditing/55.php
A recent article on the security metrics in CSO magazine
http://www.csoonline.com/read/070105/metrics.html
Regards
Jose Varghese
Paladion Networks
Application Security Magazine
http://palisade.paladion.net
-----Original Message-----
From: Larry Marin (Irony Account) [mailto:irony@trini.org]
Sent: Thursday, July 28, 2005 10:00 PM
To: Toto A Atmojo
Cc: pen-test@securityfocus.com; security-management@securityfocus.com;
secpapers@securityfocus.com; focus-linux@securityfocus.com;
libnet@securityfocus.com; firewalls@securityfocus.com;
security-basics@securityfocus.com
Subject: Re: Is there any way to measure IT Security??
You should check out NSA IAM/IEM Methodology...it works well for me.
http://www.iatrp.com/iam.cfm
Toto A Atmojo wrote:
> Dear all,
>
> Currently I'm looking for a tool, or a technique to measure IT security?
>
> The baseline for security is CIA (Confidentiality, Integrity and
> Availability), that is every organization which want to called secure
> must be guarantee that their system comply this matter.
>
> But the problem is, we need a tool/technique to measure how secure are
> we. Therefore, wee need a tool/technique to measure how close that our
> system status now to CIA.
>
> Please share your experience about this matter.
>
> If there any link about this issue, I really appreciate if you share
> to us (You may contact me privately) .
>
> Best Regs,
>
> Toto
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:40 EDT