Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Measuring security

From: Heather Flanagan <heatherf () STANFORD EDU>
Date: Wed, 5 Nov 2008 14:05:40 -0800
Hi all -

I've been asked to create some measurable target goals for data
security.  This is proving to be a tricky set of metrics to define!
What I've realized so far is:

1 - trying to go by how many holes or warnings are found by nessus
won't work; way to many false positives
2 - trying to go by what a third-party penetration test might find
won't work; what they are measuring varies too much and there have so
far been way too many false positives or things we considered
completely acceptable (yes, a domain controller is going to act as a
time server to anyone who checks)
3 - trying to go by "well, doesn't look like we've been hacked
recently"...  not quite the business metric I'm looking for

Is anyone out there finding any particular set of metrics working for
you and your campus leadership?

Heather Flanagan
Director, System Administration
heatherf () stanford edu
Previous By Date Next
Previous By Thread Next

Current thread: