‘Security Metrics’ and risk-assessment guides out this week

For security professionals, two free risk-management guides out this week provide directions on how to establish corporate security metrics, as well as tips on organizing risk-assessment and presenting findings.

The Center for Internet Security’s “Security Metrics 1.0” is a pithy compilation of 20 “metrics definitions” covering six areas: incident management; vulnerability management; patch management; application security; configuration management; and financial metrics. The 83-page paper shoots for a mathematical approach that lets an organization build a scorecard for each category to assess and chart progress—or decline—in each of the six security-management areas.

via ‘Security Metrics’ and risk-assessment guides out this week – Network World.