Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Is there any way to measure IT Security??

from [Jose Varghese] Network Security [Permanent Link]
Subject: RE: Is there any way to measure IT Security??
Date: Fri, 29 Jul 2005 13:43:09 +0530 
Hi,

Implementing a security metrics program will assist in measurement of
security level. Essentially this involves  

1. Identify key aspects (PPT - people , process and technology)which
contribute to security
2. Identify the elements( e.g. firewalls, anti-virus, security-awareness
programs )  in PPT that contribute to security
3. Identify the parameters within each area( e.g. number of machines without
latest anti-patterns, number of users trained on security )that needs to be
measured
4. Identify the methods for objective measurement of defined parameters
5. Define criteria for interpreting the values that are measured

There are several ways to go about defining metrics including
top-down(Define/list objectives of the overall and then identify metrics
that would indicate
progress toward each objective) and bottoms-up (Identify measurements that
are/could be
collected for specific processes).

Within metrics we have different categories like leading and lagging as
defined in KPI and KGI of CoBIT.

Rolling out a security metrics program is quite challenging; yet its worth
the effort.

SANS also has an good write-up on the same at 
http://www.sans.org/rr/whitepapers/auditing/55.php

A recent article on the security metrics in CSO magazine 
http://www.csoonline.com/read/070105/metrics.html


Regards

Jose Varghese
Paladion Networks

Application Security Magazine
http://palisade.paladion.net


-----Original Message-----
From: Larry Marin (Irony Account) [mailto:irony@trini.org] 
Sent: Thursday, July 28, 2005 10:00 PM
To: Toto A Atmojo
Cc: pen-test@securityfocus.com; security-management@securityfocus.com;
secpapers@securityfocus.com; focus-linux@securityfocus.com;
libnet@securityfocus.com; firewalls@securityfocus.com;
security-basics@securityfocus.com
Subject: Re: Is there any way to measure IT Security??

You should check out NSA IAM/IEM Methodology...it works well for me.
http://www.iatrp.com/iam.cfm


Toto A Atmojo wrote:


Dear all,

Currently I'm looking for a tool, or a technique to measure IT security?

The baseline for security is CIA (Confidentiality, Integrity and 
Availability), that is every organization which want to called secure 
must be guarantee that their system comply this matter.

But the problem is, we need a tool/technique to measure how secure are 
we. Therefore, wee need a tool/technique to measure how close that our 
system status now to CIA.

Please share your experience about this matter.

If there any link about this issue, I really appreciate if you share 
to us (You may contact me privately) .

Best Regs,

Toto
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Packet analysis and protocol analysis, Tom Van de Wiele
Next by Date:  RE: vuln testing, L1nux
Previous by Thread:  Re: Is there any way to measure IT Security??, Larry Marin (Irony Account)
Next by Thread:  RE: Is there any way to measure IT Security??, Craig Wright
Indexes:  [Date] [Thread] [Top] [All Lists]