Home page logo

educause logo Educause Security Discussion mailing list archives

Measuring security
From: Heather Flanagan <heatherf () STANFORD EDU>
Date: Wed, 5 Nov 2008 14:05:40 -0800

Hi all -

I've been asked to create some measurable target goals for data
security.  This is proving to be a tricky set of metrics to define!
What I've realized so far is:

1 - trying to go by how many holes or warnings are found by nessus
won't work; way to many false positives
2 - trying to go by what a third-party penetration test might find
won't work; what they are measuring varies too much and there have so
far been way too many false positives or things we considered
completely acceptable (yes, a domain controller is going to act as a
time server to anyone who checks)
3 - trying to go by "well, doesn't look like we've been hacked
recently"...  not quite the business metric I'm looking for

Is anyone out there finding any particular set of metrics working for
you and your campus leadership?

Heather Flanagan
Director, System Administration
heatherf () stanford edu

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]