Managed Security Metrics

["Mike Smith" <msmith () infinity-its com>]

What security metrics should I be looking for in a service level agreement
from a managed security service provider?  Traditional service level
agreements cover things like performance (throughput) and availability.  If
I have an outsourcer manage my firewall, what kinds of service targets
should I insist on?

I wouldn't think there'd be any point to counting blocked attacks (as a
service metric).  I certainly want to know how many attacks got through, but
is that a metric for which I can usefully set a target (e.g., no more than 0
successful attacks per month)?

If the service provider manages my firewall plus other devices, like VPNs,
IDSes, etc., can  we or should we set different types of targets for each
device/service?  Or should there be some global security metrics that apply
across the entire service?  I'd like to know how much of my bandwidth I'm
giving up to the security provider's data streams, but that doesn't tell me
how secure I am.

Related to this, I recently listened to a Meta audio briefing
(http://www.metagroup.com/metaview/mv0314/mv0314.html) that suggested some
useful security metrics (aimed more at internal security operations)
included things like password reset requests, time to create or delete user
accounts, etc.  Would these work for measuring an external service provider?

J. Michael Smith


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards