General discussion

Locked

Security Metric Dashboard

By rcrapo ·
I am working with a healthcare provider developing security metrics for a quarterly dashboard presentation. We have narrowed the field of possible metrics down to less than twenty:
Total number of malware stopped at the e-mail gateway
Total number of devices with antivirus software installed and current
Percentage of all devices with all appropriate patches installed
Total number of messages dropped as spam
Percentage of all e-mail that is dropped as spam
Total number of times message was secured by user request
Total number of times message was secured by potential policy validation
Percentage of total e-mail secured
Number of accounts with manufacturers default passwords still being used
Percentage of Tier 1, 2 & 3 (Core 1, 2 & 3) logon environments that do meet password complexity requirements
Number of accounts with passwords that do not expire
Number of potentially dangerous open ports on workstations.
Total Number of improper shares per end point devices
Percentage/Number of systems with non-compliant screen saver settings
Number of systems with non-compliant inactive logoff settings
Vulnerability Scan of Inside DMZ, Low, Med, High
Scan of Outside DMZ Vulnerability, Low, Med, High
High Risk Network Traffic
Total Unauthorized wireless routers detected

We are interested in any standards for these metrics, examples of Healthcare metrics used at other organizations. Suggestions?

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

keep some, but not all

by txiso In reply to Security Metric Dashboard

I'd drop these from the list:

-Total number of malware stopped at the e-mail gateway
- Total number of messages dropped as spam
- Percentage of all e-mail that is dropped as spam

These just show how busy the spammers and hackers are (or possibly how good your antivirus product is) -- that doesn't say anything about your performance. Oh, you could toss out one number during a presentation -- like, "We routinely block 30,000 spam messages a day" -- but there's no point in tracking it on an ongoing basis.

- Total number of devices with antivirus software installed and current
- Percentage of all devices with all appropriate patches installed
- Number of accounts with manufacturers default passwords still being used
- Number of accounts with passwords that do not expire
- Number of potentially dangerous open ports on workstations.
- Total Number of improper shares per end point devices
- Percentage/Number of systems with non-compliant screen saver settings
- Number of systems with non-compliant inactive logoff settings

These can be useful if they're depicting how well users are complying with written policies (assuming they have control over their machines). Otherwise, it's a measure of how good you are at patching and applying group policies -- or how good you are at persuading the sysadmins to get the work done. In some cases, it's just a measure of unaddressable risk if the underlying OS doesn't let you make those changes.

- Total number of times message was secured by user request
- Total number of times message was secured by potential policy validation
- Percentage of total e-mail secured

This is a little more interesting, and shows how aware and compliant your users are with your email policies. (Then again, it might just show how many users are sending private mail to their boyfriends/girlfriends and securing it!)

- Percentage of Tier 1, 2 & 3 (Core 1, 2 & 3) logon environments that do meet password complexity requirements

Again, this might be a reflection of user compliance, or it might just be unaddressable risk.

- Vulnerability Scan of Inside DMZ, Low, Med, High
- Scan of Outside DMZ Vulnerability, Low, Med, High

These are okay, but they go back to measuring how good you are at patching. It's something all auditors want you to do these days, though, so you gotta do it.

- Total Unauthorized wireless routers detected

This will be a measure of compliance and your ability to detect lack of same. Makes for good bragging rights IF you actually detect some.

- High Risk Network Traffic

Now, this one is very interesting. If you can tie it closely enough to the business processes, it can indicate how well you're able to interpret and manage business risk at the IT level in a meaningful way.

Here's a useful paper on metrics:
http://www.csoonline.com/read/070105/metrics.html

Hope this helps.

Collapse -

Great Response, Thoughful

by rcrapo In reply to keep some, but not all

Thanks for taking the time to respond in such detail, I really appreciate the comments and suggestions. Yes, I agree, some metrics are for quarterly executive info only and not always relevant to current threats. I will look at the link you sent me now.

Back to IT Employment Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums