I am working with a healthcare provider developing security metrics for a quarterly dashboard presentation. We have narrowed the field of possible metrics down to less than twenty:
Total number of malware stopped at the e-mail gateway
Total number of devices with antivirus software installed and current
Percentage of all devices with all appropriate patches installed
Total number of messages dropped as spam
Percentage of all e-mail that is dropped as spam
Total number of times message was secured by user request
Total number of times message was secured by potential policy validation
Percentage of total e-mail secured
Number of accounts with manufacturers default passwords still being used
Percentage of Tier 1, 2 & 3 (Core 1, 2 & 3) logon environments that do meet password complexity requirements
Number of accounts with passwords that do not expire
Number of potentially dangerous open ports on workstations.
Total Number of improper shares per end point devices
Percentage/Number of systems with non-compliant screen saver settings
Number of systems with non-compliant inactive logoff settings
Vulnerability Scan of Inside DMZ, Low, Med, High
Scan of Outside DMZ Vulnerability, Low, Med, High
High Risk Network Traffic
Total Unauthorized wireless routers detected
We are interested in any standards for these metrics, examples of Healthcare metrics used at other organizations. Suggestions?