David: it's important to define what you mean by "metrics".
If you're talking about an enumerated list of things to cover, then CIS,
NIST, and the collective works of mitre (particularly CCE and CVE) are a
great place to start.
If, by metrics, you mean risk scoring and trending over time, there is
little available in the public domain than CVSS today. Vendors have
their own proprietary risk metrics (nCircle has a composite score as
well as CVSS built into IP360; most others use HIGH/MEDIUM/LOW), and
there are countless conceptual risk frameworks (mostly academic today).
I suspect that you mean a checklist/guideline to follow, in which case
CIS and/or Mitre are great places to start.
Sheldon Malm
Director
Security Research & Development
nCircle Network Security
Check out the VERT daily post
http://blog.ncircle.com/vert
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Murda Mcloud
Sent: Tuesday, March 25, 2008 7:18 PM
To: jmacaranas@fxdd.com; security-basics@lists.securityfocus.com
Subject: RE: Looking For Security Metrics
How about looking at NIST for their checklists or CIS?
Maybe SANS have something specific for the platform/app you're using.
Is it like Sharepoint?
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com]
On Behalf Of jmacaranas@fxdd.com
Sent: Wednesday, March 26, 2008 4:56 AM
To: david.durcsak@verizon.net;
security-basics@lists.securityfocus.com
Subject: RE: Looking For Security Metrics
openACS?
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com]
On Behalf Of david.durcsak@verizon.net
Sent: Tuesday, March 25, 2008 1:27 PM
To: security-basics@lists.securityfocus.com
Subject: Looking For Security Metrics
To all:
We are running a web based document sharing and collaborative
enviornment and don't have the security expertise/time in house to
develop a set of securiy metrics.
My thoughts right now are if someone had a list that they could
share, we could use those as a starting point for understanding what
we need to do.
Any help would be appreciated.
Cheers
Dave
---------------------------------------------------------------------
----
-------------------------------
This message and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom it is
addressed. It may contain sensitive and private proprietary or
legally privileged information. No confidentiality or privilege is
waived or lost by any mistransmission. If you are not the intended
recipient, please immediately delete it and all copies of it from
your system, destroy any hard copies of it and notify the sender. You
must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended
recipient.
FXDirectDealer, LLC reserves the right to monitor all e-mail
communications through its networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorized to state them.
Unless otherwise stated, any pricing information given in this
message is indicative only, is subject to change and does not
constitute an offer to deal at any price quoted. Any reference to the
terms of executed transactions should be treated as preliminary only
and subject to our formal confirmation. FXDirectDealer, LLC is not
responsible for any recommendation, solicitation, offer or agreement
or any information about any transaction, customer account or account
activity contained in this communication.
