Securitymetrics.org is an excellent resource. Andy Jaquith (an analsyst who
runs the site as a hobby) has just finished a book on the topic. Well worthy
looking out for it.
-----Original Message-----
From: Earl Crane [mailto:earlcrane (at) gmail (dot) com [email concealed]]
Sent: Friday, July 21, 2006 11:56 AM
To: psrc (at) securityfocus (dot) com [email concealed]
Subject: Federal Plan for Cyber Security and Information Assurance R&D
I thought you may be interested in the Federal Plan for Cyber Security and
Information Assurance R&D, if you have not already read it. It provides a
good high-level roadmap for information security in the near-term.
You can view the entire plan here:
http://www.nitrd.gov/pubs/csia/csia_federal_plan.pdf
Most interesting for this group is the focus on Metrics as one of the 10
findings and recommendations. I've seen a number of surveys, both free and
pay-to-play, but have yet to come across a definitive source for gathering
information security metrics. What are some of the groups favorites?
8. Develop and apply new metrics to assess cyber security and information
assurance As part of roadmapping, Federal agencies should develop and
implement a multi-agency plan to support the R&D for a new generation of
methods and technologies for cost-effectively measuring IT component,
network, and system security. These methods should evolve with time.
8. Develop and apply new metrics to assess cyber security and information
assurance
Finding: It is widely acknowledged in the IT industry and the national
research community that a major research challenge is posed by the lack of
effective methods, technologies, and tools to assess and evaluate the level
of component, system, and network security. The baseline analysis of Federal
investments found that, while the technical topic of software testing and
assessment tools is both funded and ranked as a top R&D priority, the topic
of metrics is not in either the top funding or top priority rankings.
Recommendation: As part of roadmapping,
Federal agencies should develop and implement a multi-agency plan to support
the R&D for a new generation of methods and technologies for costeffectively
measuring IT component, system, and network security. As more exacting cyber
security and information assurance metrics, assessment tools, and best
practices are developed through R&D, these should be adopted by agencies and
applied in evaluating the security of Federal systems, and should evolve
with time.
runs the site as a hobby) has just finished a book on the topic. Well worthy
looking out for it.
-----Original Message-----
From: Earl Crane [mailto:earlcrane (at) gmail (dot) com [email concealed]]
Sent: Friday, July 21, 2006 11:56 AM
To: psrc (at) securityfocus (dot) com [email concealed]
Subject: Federal Plan for Cyber Security and Information Assurance R&D
I thought you may be interested in the Federal Plan for Cyber Security and
Information Assurance R&D, if you have not already read it. It provides a
good high-level roadmap for information security in the near-term.
You can view the entire plan here:
http://www.nitrd.gov/pubs/csia/csia_federal_plan.pdf
Most interesting for this group is the focus on Metrics as one of the 10
findings and recommendations. I've seen a number of surveys, both free and
pay-to-play, but have yet to come across a definitive source for gathering
information security metrics. What are some of the groups favorites?
8. Develop and apply new metrics to assess cyber security and information
assurance As part of roadmapping, Federal agencies should develop and
implement a multi-agency plan to support the R&D for a new generation of
methods and technologies for cost-effectively measuring IT component,
network, and system security. These methods should evolve with time.
8. Develop and apply new metrics to assess cyber security and information
assurance
Finding: It is widely acknowledged in the IT industry and the national
research community that a major research challenge is posed by the lack of
effective methods, technologies, and tools to assess and evaluate the level
of component, system, and network security. The baseline analysis of Federal
investments found that, while the technical topic of software testing and
assessment tools is both funded and ranked as a top R&D priority, the topic
of metrics is not in either the top funding or top priority rankings.
Recommendation: As part of roadmapping,
Federal agencies should develop and implement a multi-agency plan to support
the R&D for a new generation of methods and technologies for costeffectively
measuring IT component, system, and network security. As more exacting cyber
security and information assurance metrics, assessment tools, and best
practices are developed through R&D, these should be adopted by agencies and
applied in evaluating the security of Federal systems, and should evolve
with time.
--
Earl Crane, MISM, CISM, CISSP, MCSE
[ reply ]