Standards Group to Release Metrics for Internet Information Security
The Center for Internet Security plans to release a set of security metrics to help organizations gauge their security posture. The effort involved more than 80 IT security experts from government, academia and business. The metrics help organizations check on how effectively they have deployed security technologies and policies.The nonprofit Center for Internet Security plans to release a set of IT security metrics soon based on input from more than 80 security experts from government, business and academia. The CIS metrics are meant to help organizations determine their security posture using a consensus-based measuring stick. In general, the initial set of outcome and process metrics include: mean time between security incidents, percent of systems patched to policy and percent of business applications that had a risk assessment.
Other metrics will deal with the percent of systems with anti-virus, the percent of systems configured to approved standards, the mean time it takes to recover from security incidents and the percent of application code that has had either a security assessment, threat model analysis or code review prior to production deployment.