Educause Security Discussion mailing list archives

Re: Measuring security

From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Fri, 7 Nov 2008 13:26:56 -0500

Hi,

There is a sub committee of effective practices working on security metrics (I am chairing it.)  We have broken them 
(the metrics) into 4 types

Compliance Metrics
Executive Metrics
Incident Metrics
Operational Metrics

In each, we are looking for important (as defined by us :-) metrics that meet our criteria of

Automate-ability
Reproduce-ability
Non-Subjectivism

We are also looking to develop metrics that can be compared in a meaningful way between various institutions, the 
significance of this is to allow real
comparisons to be done of various security implementations or products.

We will be building a cook book from these metrics (at least 3 in each category) so that by following our recipes, any 
institute (large or small, rich or poor)
could build a meaningful set of metrics and know how they are doing, in a similar way that a doctor can tell something 
about your health by looking at your
blood pressure and various other tests.

I realize that this is a high level (meaning not really useful :-) look at what we are doing, but we should have some 
useful content available soon.

I hope this helps.

Thank you,
Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel


--On Wednesday, November 05, 2008 2:05 PM -0800 Heather Flanagan <heatherf () STANFORD EDU> wrote:

Hi all -

I've been asked to create some measurable target goals for data security.  This is proving to be a tricky set of metrics to 
define!  What I've realized so
far is:

1 - trying to go by how many holes or warnings are found by nessus won't work; way to many false positives
2 - trying to go by what a third-party penetration test might find won't work; what they are measuring varies too much 
and there have so far been way too
many false positives or things we considered completely acceptable (yes, a domain controller is going to act as a time 
server to anyone who checks)
3 - trying to go by "well, doesn't look like we've been hacked recently"...  not quite the business metric I'm looking 
for

Is anyone out there finding any particular set of metrics working for you and your campus leadership?

Heather Flanagan
Director, System Administration
heatherf () stanford edu




Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

Current thread:

Measuring security Heather Flanagan (Nov 05)
- <Possible follow-ups>
- Re: Measuring security Gary Dobbins (Nov 05)
- Re: Measuring security Basgen, Brian (Nov 05)
- Re: Measuring security Isac Balder (Nov 06)
- Re: Measuring security Ness, Carl J (Nov 06)
- Re: Measuring security Joel Rosenblatt (Nov 07)
- Re: Measuring security Hugh Burley (Nov 07)
- Re: Measuring security Chris Green (Nov 07)