Steve, I agree, there is not much meaning to these numbers without knowledge
of the network.
The best way to make the nmbers meaningful is to score departments. Scoring
by business unit/region/department gives mgmt something that makes sense.
CEO: "Hey! The accounting department has a 389 score in virus control this
week, and retail scored 4! Fire the retail department!"
CISO: "A lower score is better sir."
CEO: "Holy crap! Fire the accountants!"
Trending of these scores is also important. The numbers don't need to be
explained, as long as the graph keeps moving up, week after week, everyone
keeps their job. Unless, of course, the department needs more infosec money,
then you can risk making your charts go down. Just don't let them flatline.
On 2/24/06, Fred Cohen <fred.cohen@all.net> wrote:
On Feb 22, 2006, at 9:19 AM, Steve R. Smith wrote:
Some of the typical manually generated security
metrics that I've seen are things like:
Patch cycle times vs. unpatched machines (from SUS or
automated patch tools, manual patch application and
monitoring, etc)
But in what sense does this help actually answer any important or
useful questions? Say I measure it and I find that the patch cycle
time for a computer is 5 days and the number of unpatched machines is
20% of all machines. What value does this have for me. Should it be
more? less? at what cost?
Phishing, SPAM content blocked at SMTP gateways
What portion of what spam content - and by whose definition? You mean
some spam blocked at some gateways? I don't even know what to count
here.
Helpdesk calls- virus cases, password resets, static
token requests
Suppose the helpdesk calls is 500 / week and virus cases is 17 /
password rests are 4,589 . static token requests are 987. What does
that mean exactly. Am I doing well or poorly? How should I change
what I am doing - toward what goal at what price?
Vulnerabilities over time (Qualysguard, Foundscan,
IP360, Nessus, consulting reports, etc)
I have reports of 47 vulnerabilities every time I scan with Nessus -
what does it mean?
Security policy compliance (ISO17799)
What am I measuring here?
Typically, this information gets sent up the chain to
various IT Executives such as CIOs, CTOs, CISOs, Audit
Directors, and/or corporate governing bodies.
I send the report with the numbers above up to a CEO. What do they
do? How do they interpret it?
I have seen lots od dashboards - and so far I didn't find even one
that did much to help me manage risks better. What am I missing?
FC
Regards,
Steve
--
-- This communication is confidential to the parties it is intended
to serve --
Security Posture securityposture.com tel/fax
University of New Haven unhca.com 925-454-0171
Fred Cohen & Associates all.net 572 Leona Drive
ASP Press asp-press.com Livermore, CA 94550
