We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

New business benchmarks measure IT security

Group supplies free download to enterprises

The Center for Information Security (CIS) is set to release guidelines for how businesses can measure the state of their organisation's security and launch a service for companies to compare their performance with their peers.

The latest CIS project is aimed at resolving the confusion and lack of uniformity in ways to measure whether an enterprise or organisation's IT security is improving or not, said Bert Miuccio, CIS's CEO.

"The problem that we've come to recognise is that information security professionals really are growing more confused on how to define success," Miuccio said. "They know that compliance with regulatory requirements and audit frameworks do not necessarily result in improved security and are not the best measures of success."

CIS is a nonprofit organisation funded by enterprises and other organisations with an interest in security. Since it was formed in 2000, it has created 40 benchmarks for default security configurations for software ranging from operating systems to middleware to network devices. The benchmarks, which are a free download on the CIS website, are intended to help organisations reduce IT security risks.

Every security professional has different definitions for how to evaluate security measures, Miuccio said. CIS has assembled 85 information security experts to agree upon methods to measure eight different metrics. The metrics should be released in late October or early November, Miuccio said.

Two are 'outcome' metrics: the mean time between security incidents and the mean time to recover from security incidents. The remaining six are related to process: the percentage of systems configured to approved standards; the percentage of systems patched to policy; percentage of systems with antivirus technology; percentage of business applications that has a risk assessment; percentage of business applications that has a penetration or vulnerability assessment; and percentage of application code that has a security assessment or code review before deployment.

Along with the metrics, CIS plans to launch around the same time a software-based service for companies to compare how they are doing, in terms of security, against other anonymous companies in their market vertical. This type of comparison is already commonly used for financial results and other aspects of business performance such as customer service.

"That's not done in information security today," Miuccio said. "We believe that this service will begin to enable that."


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

Chromebooks: ready for the prime time (but not for everybody)

IDG UK Sites

Hands-on with Sony's latest smartglasses

IDG UK Sites

Apple TV expert tips: get US Apple TV content, watch Google Play, use multiple Apple IDs and more