Re: Is there any way to measure IT Security??

From: Alberto Cardona II (
Date: 08/03/05

  • Next message: "Re: Re: x.25 / x.28 pentesting"
    Date: Wed, 03 Aug 2005 11:34:56 -0400


    I have worked for major fortune 100 and 500 companies. Some of these
    companies use a product called Enterprise Security Management and is made by
    Archer ( It is highly customizable and you are able to
    setup different metrics to monitor. It ties in and correlates the different
    facets of an InfoSec program:

    - Threat Management
    - Incident Management
    - Asset Management
    - Risk Management
    - Policy Management

    You can set up different gauges, metrics and report on your company security
    Below are the different modules:

    Incident Management:
    Report incidents, manage their escalation, track investigations and analyze
    Key features:
    - Based on the CERT Security Incident Response Handbook
    - Easily open, prioritize and track security incidents with built-in
    - Perform impact analyses of incidents on critical assets and business
    - Manage incident escalation, investigations and forensic activities.
    - Track remediation efforts and document incident postmortem.
    - Manage response team contact information, processes and procedures.

    Threat Management:
    Track threats through a comprehensive early warning system to help prevent
    system compromise.
    Key features:
    - Receive real-time intelligence feeds from iDEFENSE, Symantec or TruSecure.
    - Filter alert notifications based on your environment.
    - Prioritize remediation plans and corrective actions.
    - Utilize a CVE-compliant threat and vulnerability database.
    - Integrate with your existing vulnerability scanning tools.
    - Search for data using a powerful reporting engine with built-in and custom

    Asset Management:
    Manage enterprise assets and their relationships to secure them according to
    management expectations.
    Key features:
    - Build the asset database
    - Define groups of assets and assign individual responsibilities.
    - Tie policies, baselines and procedures to specific assets
    - Filter real-time alerts based on the assets under your control
    - Manage the activities required to secure those assets.
    - Document business criticality for an asset in terms of confidentiality,
    integrity and availability.
    - Link critical assets to the business processes they support.
    - Fully integrate with Archer Policy, Threat, Risk and Incident Management
    - Import data from third-party discovery, scanning and asset management
    - Track vulnerabilities, remediation efforts and configuration changes.
    - Tie in to Change Managment System
    - Filter real-time alerts and other security content.
                    - Utilize advanced reporting and analysis tools.

    Risk Management:
    Perform online risk assessments to determine the proper controls to
    implement based on use and risk.
    Key features:
    - Utilize integrated risk management methodology based on industry
    - Generate Online risk assessment questionnaires
    - Generate Asset risk scorecards and actionable plans for managing your
    enterprise information risk.
    - Automate the risk assessment process.
    - Employ predefined and customizable assessment templates.
    - Build online risk assessment questionnaires.
    - Create risk scorecards and profiles.
    - Search for data using advanced management reporting tools.

    Policy Management:
    Create policies, distribute them online, educate and train employees and
    track compliance.
    Key features:
    - Creation and Administration:
         Link policies to the industry, regulatory or corporate standards they
         Attach relevant files to policies (procedures, flowcharts, examples,
    images, etc.).
         Utilize content workflow features for version control and management
    - Communication and Distribution
         Display policies to users in an easy-to-understand tree format.
         Filter and view policies by job function.
         Alert users of changes to existing policies or new policies via email.
         Allow users to perform keyword searches to quickly find specific
    information among policies.
         Enable users to export policy content directly into Word, Excel, HTML,
    CSV or XML formats.
         Set up, maintain and moderate discussion forums for specific users and
    - Tracking and Reporting
         Receive online acknowledgement that users have read and accepted
    specific policies.
         Monitor and report on user access to specific policies.
         Track exceptions that have been granted for specific policies and the
    dates exceptions will expire.
         Allow users to report policy violations.
         Track policy violations by date of occurrence and date of remediation
    for compliance.
         Utilize the full policy compliance reporting capability.
    - Policy Library
         Access a library of policies and standards that have been developed by
    leading information security subject matter experts for managing
    compliance with industry regulations and industry-specific legislation.
    - All standards in the Policy Library have been mapped to the following
    leading industry standards:
      ISO/IEC 17799 (Code of Practice for Information Security Management)
      Information Security Forum (The Forum’s Standard of Good Practice)
      FFIEC Security Handbook
      Health Insurance Portability Accountability Act (HIPAA) Final Ruling
      European Union Directive on Data Protection
      Basel II
      Monetary Authority of Singapore’s “Technology Risk Management Guidelines

    Kind regards,

    Alberto Cardona II, CCSE, MCP, CNA
    VP of Information Security - Professional Services

    >From: "Larry Marin (Irony Account)" <>
    >To: Toto A Atmojo <>
    >Subject: Re: Is there any way to measure IT Security??
    >Date: Thu, 28 Jul 2005 12:29:57 -0400
    >You should check out NSA IAM/IEM works well for me.
    >Toto A Atmojo wrote:
    >>Dear all,
    >>Currently I’m looking for a tool, or a technique to measure IT security?
    >>The baseline for security is CIA (Confidentiality, Integrity and
    >>Availability), that is every organization which want to called secure must
    >>be guarantee that their system comply this matter.
    >>But the problem is, we need a tool/technique to measure how secure are we.
    >>Therefore, wee need a tool/technique to measure how close that our system
    >>status now to CIA.
    >>Please share your experience about this matter.
    >>If there any link about this issue, I really appreciate if you share to us
    >>(You may contact me privately) .
    >>Best Regs,

    FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

    Learn the hacker's secrets that compromise wireless LANs. Secure your
    WLAN by understanding these threats, available hacking tools and proven
    countermeasures. Defend your WLAN against man-in-the-Middle attacks and
    session hijacking, denial-of-service, rogue access points, identity
    thefts and MAC spoofing. Request your complimentary white paper at:

  • Next message: "Re: Re: x.25 / x.28 pentesting"

    Relevant Pages

    • RE: Risk Assessment Basics
      ... Start inventorying your software and data assets. ... Management process/procedure and a policy that states that Change ... Define roles and responsibilities for the network and security ... Subject: Risk Assessment Basics ...
    • Re: Is there any way to measure IT Security??
      ... companies use a product called Enterprise Security Management and is made by ... You can set up different gauges, metrics and report on your company security ... Manage enterprise assets and their relationships to secure them according to ... Fully integrate with Archer Policy, Threat, Risk and Incident Management ...
      ... management say "that's nice", and move on. ... education, certification, experience, know-how, abilities, and ... Many 'security jobs' are nothing shy than that of an overly glorified ... Download FREE whitepaper on how a managed service ...
    • FW: Small ISP/ASP security concerns
      ... Learnig about "Risk Management" you wil be able to convense them what could ... > From business point of view, risk isn't bad and isn't good. ... > how security issues affect their business. ...
    • Re: Open issues in intrusion management research?
      ... prioritization, risk ranking, and relevance calculation. ... introduced into this risk management framework will greatly impact the ... IDSs, but more in combining IDSs with other IDSs or security technologies ...