phew... such an important topic and no replies ?
Thomas, I would consider the cipher strength of the gateways and the
encryption algorithms being used at the Gateways as a measure amongst others
to rate the security.
Technical metrics should always override the business metrics. If your site
gets compromised, your boss is going to fire you. You cant tell him that "
it was the business rules". He would say ( rather, If I were the CEO ) would
say " damn, I hired you as my Security advisor, it was your job to emphasize
security over business rules".
You have to narrow the scope of your work - IDS,Anti Virus
-----Original Message-----
From: Frazier, Thomas [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 10, 2001 1:45 PM
To: '[EMAIL PROTECTED]'
Subject: What do you use for security metrics
Hello,
I am sending this question out to this list to see what others are doing in
this space. (Adjust for your scenario accordingly) You have an IDS setup,
firewalls galore, enterprise anti-virus, regular vulnerability assesments,
whatever.... You have a lot of information out there that you can use for
metrics to determine the state of security at <insert your company here>.
o What are the key elements you report on?
o Do you break out the business metrics from technical metrics?
o Have you written tools to automate the metric gathering process or is it
manual?
o Do you have a regular (weekly, monthly, quarterly) report driven by
metrics?
o Are the metrics compared against an Level of Service agreement you have to
support?
Thanks,
Thomas Frazier
Systems Specialist
Corporate Information Security
------------------------------
[EMAIL PROTECTED]
------------------------------
