The updates include eight new metrics focused on incident impact and configuration compliance. Also included are taxonomies to standardize metrics reporting and relationship diagrams for metrics datasets.
The metrics assist security professionals in justifying their program expenses and prioritizing information security investment decisions, the CIS noted.
“By implementing these new configuration and incident management metrics, along with the financial metrics, organizations can now have a process for measuring the success of these information security business functions with the same frequency and rigor as traditional public financial results”, said Steven Piliero, CIS chief security officer.
The CIS metrics are developed through consensus of security experts from commercial enterprises, government, and academia. Participants provide perspectives on software development, audit and compliance, research, and legal issues. The metrics provide definitions for security professionals to measure the information security status of their enterprises.
Development of the new metrics was a collaborative process that involved coming to agreement on the additional metrics to measure in the enterprise and agreeing on the best way to define the means to measure them. The definitions were then vetted among the CIS membership.
Moving forward, the CIS consensus group will release electronic schemas for sharing metrics data and definitions via automation tools both within and across organizational boundaries.