Educause Security Discussion mailing list archives
Measuring security
From: Heather Flanagan <heatherf () STANFORD EDU>
Date: Wed, 5 Nov 2008 14:05:40 -0800
Hi all - I've been asked to create some measurable target goals for data security. This is proving to be a tricky set of metrics to define! What I've realized so far is: 1 - trying to go by how many holes or warnings are found by nessus won't work; way to many false positives 2 - trying to go by what a third-party penetration test might find won't work; what they are measuring varies too much and there have so far been way too many false positives or things we considered completely acceptable (yes, a domain controller is going to act as a time server to anyone who checks) 3 - trying to go by "well, doesn't look like we've been hacked recently"... not quite the business metric I'm looking for Is anyone out there finding any particular set of metrics working for you and your campus leadership? Heather Flanagan Director, System Administration heatherf () stanford edu
Current thread:
- Measuring security Heather Flanagan (Nov 05)
- <Possible follow-ups>
- Re: Measuring security Gary Dobbins (Nov 05)
- Re: Measuring security Basgen, Brian (Nov 05)
- Re: Measuring security Isac Balder (Nov 06)
- Re: Measuring security Ness, Carl J (Nov 06)
- Re: Measuring security Joel Rosenblatt (Nov 07)
- Re: Measuring security Hugh Burley (Nov 07)
- Re: Measuring security Chris Green (Nov 07)