The Center for Internet Security (CIS) announced on Monday that the group would work with a community of security professionals to create a set of eight metrics to help companies measure their progress in locking down their networks.

The project -- which distills the recommendations of 85 security experts from government, industry and academia -- aims to give companies a single set of data points to track their organization's security over time and to collect information in a consistent manner, said Bert Miuccio, CEO of the Center for Internet Security. While the group plans to offer a service to companies that will help them track and correlate the data, the actual metrics information will be provided for free.

"The benefit to companies is that they will be able to track their enterprise performance," Miuccio said. "They will be able to look at their trends over time and use that service for making rational decisions. They will be able to correlate the processes and practices they deploy with the outcomes they produce."

The group of security experts selected eight data points on which to focus. To measure a company's ability to deal with security incidents, the group suggested that companies measure the mean time between security incidents and the mean time to recover from security incidents. As an indicator of a company's network security readiness, companies should measure the fraction of systems configured to approved standards, the fraction of systems patched as per corporate policy, and the fraction of systems with antivirus software, CIS stated. Finally, companies should review their software applications for potential security issues by measuring the fraction of business applications that have had a risk assessment, the fraction with a penetration or vulnerability assessment and the fraction of application code that had a threat-model analysis or security code review prior to deployment.

"These metrics are not about compliance," Miuccio said. "The focus on metrics in compliance and standards has lead to a lack of focus on outcomes."

While the group has focused on the eight basic metrics, they continue to work on the exact definition of each, Miuccio said. The organization will also continue to develop its security-configuration benchmarks, which it also develops by consensus.

If you have tips or insights on this topic, please contact SecurityFocus.