IDG News Service >
 

Software watchdog working on enterprise security metrics

o Ellen Messmer
08.09.2008 kl 16:44 |

The Center for Internet Security is devising new metrics that companies can use to evaluate their security status, including measuring how many systems are properly patched and how long it takes to recover from a security incident.

 

The Center for Internet Security is devising new metrics that companies can use to evaluate their security status, including measuring how many systems are properly patched and how long it takes to recover from a security incident.

CEO Bert Miuccio says the non-profit group, which crafts software implementation benchmarks, intends to publish its enterprise security metrics by year-end.

"There have been metrics defined in the security community in the past, usually lists of things to be measured in terms of security, such as technical [attributes], people and processes," Miuccio says. "But there's still a struggle to understand the value of security investments, in terms of outcomes, to determine the security status of an enterprise."

Miuccio says the security benchmarks the Center for Internet Security is working on will be "unambiguous." They'll revolve around eight principal topics:

•  Mean time between security incidents.

•  Mean time to recover from security incidents.

•  Percentage of systems configured to approved standards.

•  Percentage of systems patched to policy.

•  Percentage of systems with antivirus.

•  Percentage of business applications that had a risk assessment.

•  Percentage of business applications that had a penetration or vulnerability assessment.

•  Percentage of application code that had a security assessment, threat model analysis, or code review prior to production deployment.

Miuccio adds that the Center for Internet Security will continue its work producing benchmarks for software security. New benchmarks for secure configuration of Microsoft Office and SharePoint, print drivers, the open source Tomcat application and the three Web browsers Internet Explorer, Opera and Firefox are to be published in the fourth quarter as well.

Some organizations view security metrics as a way to show evidence of secure practices to both themselves and business partners.

Pacific Gas & Electric (PG&E), for example, elected to use what's called the Information Security Assurance Capability Maturity Model (IA-CMM) developed by the U.S. National Security Agency.

"The purpose of the IA-CMM is to gauge an organization's effectiveness in delivering security to its clients, meaning anyone who uses its services," says Seth Bromberger, manager of information security at PG&E. IA-CMM calls for a tough exam by an authorized outside firm to evaluate an organization's security as documented and executed.

PG&E, which was evaluated by Security Horizon, late last year, achieved a "3" ranking out of a top score of "5."

While at first glance that may sound average, only one company has ever achieved a "4," according to Bromberger, and that's International Network Services. Under the tough IA-CMM ranking system, a "3" means an organization's security as documented and executed is "well-defined," and Bromberger is extremely proud his organization could even make it through the IA-CMM evaluation to achieve this ranking.

"This gives us credibility when we discuss the merits of our security program," Bromberger says. "It lends additional credibility when we talk to the government or utilities about exchanging information on security. From a practical perspective, it's a tool that gives management confidence. Because we provide electric power, we're considered critical infrastructure in the U.S."

Bromberger adds there are "very few hard-line metrics around security." He says he's familiar with the Center for Internet Security's work on software security benchmarks and considers it an expert source. He's excited to hear that the center will publish a security metrics benchmark and will "absolutely consider its use within PG&E if it makes sense to augment our benchmarking/metric program."

Meanwhile, Miuccio calls the IA-CMM model "an excellent tool for planning and strategy" but adds "it lacks a data feedback loop." The Center for Internet Security's planned security metric will complement IA-CMM, he says. "These metrics will take it to the next level," he promises.

Keywords: Security  
Latest news from IDG News Service

Copyright 2009 IDG Magazines Norge AS. All rights reserved

Postboks 9090 Grønland - 0133 OSLO / Telefon 22053000

Ansvarlig redaktør Henning Meese / Utviklingsansvarlig Ulf Helland / Salgsdirektør Tore Harald Pettersen