Network security metrics: Basic network security controls assessment

I have been given the challenge of assessing our company's security posture, given the current manpower and capabilities invested.  Are there any metrics for measuring the level of security of a network? What would be a good first step?

    Requires Free Membership to View

You’re asking a question security professionals have struggled with for years and, before going into detail, I must give you the disappointing news that there is no silver bullet for information security metrics.  The only way to truly evaluate the effectiveness of an information security program is to sit down, assess the program’s objectives, and then find ways to measure your progress toward those goals. This is a highly enterprise-specific process, and the results will vary from organization to organization.

That said, there are many rich sources of data you can add to the mix when considering network security metrics for your program.  Here are a few of my favorites:

  • Results from vulnerability scans:  If you’re running a vulnerability scanner on your network, this can provide several interesting metrics:
    • Number of critical vulnerabilities on your servers.
    • Number of critical vulnerabilities accessible through your firewall.
    • Average time to resolve critical vulnerabilities.
  • System configuration compliance information: Tools like Microsoft System Center Configuration Manager can provide you with detailed information about the status of your workstations.  Some ideas for security metrics include:
    • Percent of systems compliant with security standards.
    • Antivirus and antispyware status.
  • Security incident frequency:  This cuts right to the bottom line: How often is your organization experiencing security incidents?  The trick here is to ensure you have a consistent definition of what rises to the level of an "incident."  Otherwise, changing definitions may create false trends in your data.

Those are a few ideas that can get you started on the road to a comprehensive security metrics program.  Remember to begin with your objectives and then use them to help craft questions that will provide management with the best insight into the effectiveness of your information security program and network security controls.

This was first published in September 2011

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: