Toto,
I am afraid that no tool can fulfill your requirement. I think in order
to be able to measure the effectiveness of your IT security controls;
you should first start with defining security policies fitting your
organizational requirements. Based on these policies and your corporate
security strategy you can define security metrics to measure conformance
with the security policies. As an example the number/percentage of
audited/security accredited systems (against the system security policy)
is a metric you can use in order to measure the effectiveness of your
system security policy (preventive control).
I wouldn't rather think in tools, but processes within your IT security
department to help you out drive performance, and achieve policy
compliance.
Hope this helps
Salah
________________________________
From: Toto A Atmojo [mailto:toto@playon.co.id]
Sent: Thursday, July 28, 2005 12:02 PM
To: pen-test@securityfocus.com; security-management@securityfocus.com;
secpapers@securityfocus.com; focus-linux@securityfocus.com;
libnet@securityfocus.com; firewalls@securityfocus.com;
security-basics@securityfocus.com
Subject: Is there any way to measure IT Security??
Dear all,
Currently I'm looking for a tool, or a technique to measure IT security?
The baseline for security is CIA (Confidentiality, Integrity and
Availability), that is every organization which want to called secure
must be guarantee that their system comply this matter.
But the problem is, we need a tool/technique to measure how secure are
we. Therefore, wee need a tool/technique to measure how close that our
system status now to CIA.
Please share your experience about this matter.
If there any link about this issue, I really appreciate if you share to
us (You may contact me privately) .
Best Regs,
Toto
