Re: Tools to collect and manage security metrics

["gig" <gigabit () satx rr com>]

Ronish,

You are absolutely correct that metrics can be a powerful tool to empower 
management to drive a security program.

The difficulty in addressing your question is the lack of specificity in 
what you are trying to do....

Do you know what type of information you want to focus on?  Technical 
metrics such as system patching, vulnerabilities, access control changes? 
Or process metrics, like change management info or incident response 
tracking?

We use different products....to both acquire the data and then produce the 
reports.

For the technical side, we use McAfee's compliance product.

For the process/management side, we use the Archer product.

My general advice....find the things you want to track and be very 
consistent in how/when you report the metrics.

Also, read this:  Security Metrics by Jaquith




----- Original Message ----- 
From: <sfmailsbm () gmail com>
To: <security-basics () securityfocus com>
Sent: Tuesday, December 06, 2011 12:44 AM
Subject: Tools to collect and manage security metrics


> Hi All,
>
> One of the challenges in managing IT security is metrics.
>
> With appropriate metrics you can show through dashboards what your 
> security posture is and how it is evolving
>
> This is particularly helpful if you want to show ur management how an 
> investment in security is bringing 'concrete' results
>
> However, collecting, analysing, processing metrics can be very tedious and 
> each organisation has it's own needs
>
> Would the forum have any ideas about open source or commercial tools that 
> can help get started with security metrics?
>
> Any help will be greatly appreciated
>
> Thanks,
> Ronish
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL 
> certificate.  We look at how SSL works, how it benefits your company and 
> how your customers can tell if a site is secure. You will find out how to 
> test, purchase, install and use a thawte Digital Certificate on your 
> Apache web server. Throughout, best practices for set-up are highlighted 
> to help you ensure efficient ongoing management of your encryption keys 
> and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------