Penetration Testing mailing list archives
RE: Is there any way to measure IT Security??
From: "Jose Varghese" <jose.varghese () paladion net>
Date: Fri, 29 Jul 2005 13:43:09 +0530
Hi, Implementing a security metrics program will assist in measurement of security level. Essentially this involves 1. Identify key aspects (PPT - people , process and technology)which contribute to security 2. Identify the elements( e.g. firewalls, anti-virus, security-awareness programs ) in PPT that contribute to security 3. Identify the parameters within each area( e.g. number of machines without latest anti-patterns, number of users trained on security )that needs to be measured 4. Identify the methods for objective measurement of defined parameters 5. Define criteria for interpreting the values that are measured There are several ways to go about defining metrics including top-down(Define/list objectives of the overall and then identify metrics that would indicate progress toward each objective) and bottoms-up (Identify measurements that are/could be collected for specific processes). Within metrics we have different categories like leading and lagging as defined in KPI and KGI of CoBIT. Rolling out a security metrics program is quite challenging; yet its worth the effort. SANS also has an good write-up on the same at http://www.sans.org/rr/whitepapers/auditing/55.php A recent article on the security metrics in CSO magazine http://www.csoonline.com/read/070105/metrics.html Regards Jose Varghese Paladion Networks Application Security Magazine http://palisade.paladion.net -----Original Message----- From: Larry Marin (Irony Account) [mailto:irony () trini org] Sent: Thursday, July 28, 2005 10:00 PM To: Toto A Atmojo Cc: pen-test () securityfocus com; security-management () securityfocus com; secpapers () securityfocus com; focus-linux () securityfocus com; libnet () securityfocus com; firewalls () securityfocus com; security-basics () securityfocus com Subject: Re: Is there any way to measure IT Security?? You should check out NSA IAM/IEM Methodology...it works well for me. http://www.iatrp.com/iam.cfm Toto A Atmojo wrote:
Dear all, Currently I'm looking for a tool, or a technique to measure IT security? The baseline for security is CIA (Confidentiality, Integrity and Availability), that is every organization which want to called secure must be guarantee that their system comply this matter. But the problem is, we need a tool/technique to measure how secure are we. Therefore, wee need a tool/technique to measure how close that our system status now to CIA. Please share your experience about this matter. If there any link about this issue, I really appreciate if you share to us (You may contact me privately) . Best Regs, Toto
Current thread:
- Re: Is there any way to measure IT Security?? Larry Marin (Irony Account) (Jul 28)
- RE: Is there any way to measure IT Security?? Jose Varghese (Jul 29)
- <Possible follow-ups>
- RE: Is there any way to measure IT Security?? Craig Wright (Jul 28)