Those of you who struggle to define suitable metrics for reporting the state of your company information security program might in interested in a set of "free metrics for measuring an organisations's security posture" about to be released by the Center for Internet Security (CIS).Some of the metrics in their list I already report. For instance
- percentage of systems patched to policy
- application risk assessment status
- vulnerability assessment status
These, and the others on my dashboard including things like third party vendor assessment status and incident related information, all help to build up an overall picture of how well security is being managed. Being able to track the statistics over time enables you and your management to quickly focus in on and question any anomolies.
I've been looking forward to the issue of ISO27004. This is the official number of the standard to cover information security management measurement and metrics although it does not yet have a defined release date. OK - the release of a new ISO doesn't quite have the excitement and anticipation factor of firing up the LHC but then information security isn't exactly rocket science...
