"Measuring IT security" is a broad concept, but a comprehensive risk
assessment is the best way to gage overall security posture. Vulnerability
assessment is just one piece of that. Standards for best practice, like
ISO17799, force you to consider every part of your organization as it
relates to infosec. There are many risk assessment frameworks, guidelines
and tools available from sites like sans.org, nist.gov, issa.org, etc., as
well as commercial offerings.
Unfortunately, there's no cut & dried scoring system, nor a universally
adopted measurement standard, so keep your expectations (and management's
expectations) realistic. Involve EVERYONE in your assessment and in your
security program. I've seen companies ignore outside contractors, cleaning
services and maintenance workers because they weren't permanent, full-time
employees. That's like ignoring the key under the door mat.
- Rich
"Toto A Atmojo" <toto@playon.co.id>
07/28/2005 06:02 AM
To
<pen-test@securityfocus.com>, <security-management@securityfocus.com>,
<secpapers@securityfocus.com>, <focus-linux@securityfocus.com>,
<libnet@securityfocus.com>, <firewalls@securityfocus.com>,
<security-basics@securityfocus.com>
cc
Subject
Is there any way to measure IT Security??
Dear all,
Currently I?m looking for a tool, or a technique to measure IT security?
The baseline for security is CIA (Confidentiality, Integrity and
Availability), that is every organization which want to called secure must
be guarantee that their system comply this matter.
But the problem is, we need a tool/technique to measure how secure are we.
Therefore, wee need a tool/technique to measure how close that our system
status now to CIA.
Please share your experience about this matter.
If there any link about this issue, I really appreciate if you share to us
(You may contact me privately) .
Best Regs,
Toto
