CIS offers consensus-based security benchmarks
- By Trudy Walsh
- Sep 10, 2008
The Center for Internet Security will release a set of information technology security metrics
that were defined through a collaborative effort by more than 80 security professionals from government, academia and industry.
CIS has developed 40 configuration benchmarks for operating systems, middleware and software applications, and it distributes them for free. The benchmarks are downloaded about 1 million times each year and have become so widely used that they are recognized as de facto standards, said Bert Miuccio, CIS' president and chief executive officer.
'Government and industry spend lots of time and money to improve cybersecurity, but often the focus is more on compliance with best practices rather than outcomes,' Miuccio said. The emphasis on federal mandates such as the Federal Information Security Management Act has 'had the unintended consequence of shifting the focus from improved security to compliance,' he added.
CIS is working with the group of IT security professionals to reach an agreement on which indicators of enterprise information security are most important and how to measure them.
'If you ask 100 security professionals how they measure the mean time between security incidents, you'll get 100 different answers,' Miuccio said. 'They're all measuring it differently and defining it differently.'
The group came up with an initial list of eight outcome and process metrics, which Miuccio described as a starter set:
- Mean time between security incidents.
- Mean time to recover from security incidents.
- Percentage of systems configured to approved standards.
- Percentage of systems patched according to policy.
- Percentage of systems with antivirus software.
- Percentage of business applications that underwent a risk assessment.
- Percentage of business applications that underwent a penetration or vulnerability assessment.
- Percentage of application code that underwent a security assessment, threat model analysis or code review before production deployment.
Once implemented, the CIS security configuration benchmarks will block 95 percent of known vulnerabilities, Miuccio said.
Formed in 2000, CIS is composed of 150 member organizations, including federal agencies such as the Energy and Interior departments, the Library of Congress, the Federal Reserve, NASA, the Census Bureau, the National Institutes of Health, and the National Institute of Standards and Technology.
Trudy Walsh is a senior writer for GCN.