RE: What do you use for security metrics

From: Pradeep Kumar (pradeep.pillai@nexsi.com)
Date: 09/25/01 

From: "Pradeep Kumar" <pradeep.pillai@nexsi.com>
To: "Frazier, Thomas" <Thomas.Frazier@usa.xerox.com>, <security-basics@securityfocus.com>
Subject: RE: What do you use for security metrics
Date: Tue, 25 Sep 2001 08:38:12 -0700
Message-ID: <DKEKKECKLBAOKPGCOCAHAEEFCDAA.pradeep.pillai@nexsi.com>

phew... such an important topic and no replies ?
Thomas, I would consider the cipher strength of the gateways and the
encryption algorithms being used at the Gateways as a measure amongst others
to rate the security.

Technical metrics should always override the business metrics. If your site
gets compromised, your boss is going to fire you. You cant tell him that "
it was the business rules". He would say ( rather, If I were the CEO ) would
say " damn, I hired you as my Security advisor, it was your job to emphasize
security over business rules".

You have to narrow the scope of your work - IDS,Anti Virus

-----Original Message-----
From: Frazier, Thomas [mailto:Thomas.Frazier@usa.xerox.com]
Sent: Monday, September 10, 2001 1:45 PM
To: 'security-basics@securityfocus.com'
Subject: What do you use for security metrics

Hello,

I am sending this question out to this list to see what others are doing in
this space. (Adjust for your scenario accordingly) You have an IDS setup,
firewalls galore, enterprise anti-virus, regular vulnerability assesments,
whatever.... You have a lot of information out there that you can use for
metrics to determine the state of security at <insert your company here>.

o What are the key elements you report on?
o Do you break out the business metrics from technical metrics?
o Have you written tools to automate the metric gathering process or is it
manual?
o Do you have a regular (weekly, monthly, quarterly) report driven by
metrics?
o Are the metrics compared against an Level of Service agreement you have to
support?

Thanks,

Thomas Frazier
Systems Specialist
Corporate Information Security
------------------------------
 Thomas.Frazier@usa.xerox.com
------------------------------

Relevant Pages

  • RE: What do you use for security metrics
    ... What do you use for security metrics ... -Can we conclude this - there is no system as yet to streamline Security ... Technical metrics should always override the business metrics. ...
    (Security-Basics)
  • Is IDS/IPS worthless?
    ... implementation of an IDS/IPS achieve?" ... I responded that an IDS gives ... So this speaker then challenged me to come up with verifiable metrics. ... operations and security is a critical component of IT. ...
    (Focus-IDS)
  • RE: What do you use for security metrics
    ... What do you use for security metrics ... Technical metrics should always override the business metrics. ...
    (Security-Basics)
  • Re: Hardware security metrics
    ... > Just as there are performance metrics for hardware, (mips, megaflops, ... Usually, security has no metric. ... I don't know such classifiing for hardware, ...
    (comp.security.misc)
  • Re: Can use both Leasedline and ADSL with ISA 2004
    ... As your intruction, I configure Ext NIC ... > You also need to set the same metrics for the default gateways on those ... >>> multiple gateways with the same metric will throw your ISA off the loop. ... >>> Virgil ...
    (microsoft.public.isa)
Quantcast