Security Basics mailing list archives

RE: Is there any way to measure IT Security??

From: "Jose Varghese" <jose.varghese () paladion net>
Date: Sat, 30 Jul 2005 10:38:18 +0530

Hi,

Implementing a security metrics program will assist in measurement of
security level. Essentially this involves  

1. Identify key aspects (PPT - people , process and technology)which
contribute to security
2. Identify the elements( e.g. firewalls, anti-virus, security-awareness
programs )  in PPT that contribute to security
3. Identify the parameters within each area( e.g. number of machines without
latest anti-patterns, number of users trained on security )that needs to be
measured
4. Identify the methods for objective measurement of defined parameters
5. Define criteria for interpreting the values that are measured

There are several ways to go about defining metrics including
top-down(Define/list objectives of the overall and then identify metrics
that would indicate
progress toward each objective) and bottoms-up (Identify measurements that
are/could be
collected for specific processes).

Within metrics we have different categories like leading and lagging as
defined in KPI and KGI of CoBIT.

Rolling out a security metrics program is quite challenging; yet its worth
the effort.

SANS also has an good write-up on the same at 
http://www.sans.org/rr/whitepapers/auditing/55.php

A recent article on the security metrics in CSO magazine 
http://www.csoonline.com/read/070105/metrics.html


Regards

Jose Varghese
Paladion Networks

Application Security Magazine
http://palisade.paladion.net


-----Original Message-----
From: Larry Marin (Irony Account) [mailto:irony () trini org] 
Sent: Thursday, July 28, 2005 10:00 PM
To: Toto A Atmojo
Cc: pen-test () securityfocus com; security-management () securityfocus com;
secpapers () securityfocus com; focus-linux () securityfocus com;
libnet () securityfocus com; firewalls () securityfocus com;
security-basics () securityfocus com
Subject: Re: Is there any way to measure IT Security??

You should check out NSA IAM/IEM Methodology...it works well for me.
http://www.iatrp.com/iam.cfm


Toto A Atmojo wrote:

Dear all,

Currently I'm looking for a tool, or a technique to measure IT security?

The baseline for security is CIA (Confidentiality, Integrity and 
Availability), that is every organization which want to called secure 
must be guarantee that their system comply this matter.

But the problem is, we need a tool/technique to measure how secure are 
we. Therefore, wee need a tool/technique to measure how close that our 
system status now to CIA.

Please share your experience about this matter.

If there any link about this issue, I really appreciate if you share 
to us (You may contact me privately) .

Best Regs,

Toto

Current thread:

RE: Is there any way to measure IT Security?? Jose Varghese (Aug 02)
- <Possible follow-ups>
- Re: Is there any way to measure IT Security?? John Alexander (Aug 03)
- Re: Is there any way to measure IT Security?? Alberto Cardona II (Aug 03)
- RE: Is there any way to measure IT Security?? Marriott, Bill (US - Dallas) (Aug 03)