4. Develop Metrics
Metrics are the means to quantify security policy compliance, evaluate countermeasure effectiveness, carry out historical analysis and demonstrate security ROI. Measuring performance allows you to quantitatively assess your vulnerability management processes, deficiencies and controls.

There are no industry standard security metrics, so where do these metrics come from? Often, it's a matter defining what your goals are, what variables comprise these goals and how to use those variables to establish baselines and measure progress. (For further guidance on the development and implementation of internal security metrics, review http://csrc.nist.gov/publica tions/nistpubs/800-55/sp800-55.pdf)

In the absence of standard metrics, some enterprises have used those included in vulnerability management products, such as McAfee's Foundstone 1000 appliance and NetIQ's Vulnerability ...

BROWSE BY TAG Features,   Application and Platform Security,   Enterprise Vulnerability Management,   Vulnerability Risk Assessment,   Configuration Management Planning,   VIEW ALL TAGS

At minimum, the following metrics should be defined and integrated into the vulnerability management framework:

• Maximum tolerable downtime values for critical assets based on, for instance, the loss of revenue per hour.
• Estimate of potential monetary losses per asset and compromise type, computed by this basic formula: (asset value) x (% of potential damage) x (estimated frequency of compromise) = (annualized loss expectancy).
• Number of security incidents per month (e.g., virus infection, successful penetration attempts from the Internet, unauthorized access attempts by internal employees, Trojan downloads).
• Recovery costs, in staff hours, to remediate these incidents.
• Number of noncompliant systems, by department.
• Percentage of vulnerabilities mitigated over cycles of 30 days, and percentage of vulnerabilities that extend past 60, 90 and 180 days.
• How much the vulnerability management products and processes are really worth to your company. For example, if a $60,000 network vulnerability management product reduces your potential loss from $400,000 to $200,000, its real value is $140,000.

5. Determine Acceptable Risk
Every organization needs to establish how much risk its stakeholders--management, investors, the board, customers--are willing to accept. It's the key to creating corporate security policies and balancing functionality, security requirements and available funding. Your valuation of assets is critical in determining your tolerance for impaired performance or downtime, prioritizing your efforts or setting guidelines for remediation.

Risk level is usually represented and communicated in an abstract manner and needs to be quantified.

The quantified values are baselines (minimum level of required security) and the deviation from these baselines. The CISO usually establishes the baselines, and the risk and vulnerability management teams are responsible for maintaining them.

For example, the baseline of the cost of recovery from incidents needs to be reduced by 10 percent every six months. In this case, the metric is the average cost of recovery from incidents every six months. Or, you might establish a baseline for regulatory compliance that says penalties due to noncompliance should occur less than once every three years; the metric is the number of penalties per three years.

< PREV PAGE   |   1  |   2  |   3  |   4  |   NEXT PAGE  >