From: <vi...@is...> - 2005-11-02 10:31:11
|
Dear All, I plan to publish a revision of ISM3 before the end of this year, with your help, of course. This revision will have some small tweaks, like EA 7/03 additions, OSSTMM synchronization, being more specific on ISM3 minimum scope, specify the accreditation and certification processes and METRICS. I attach a preview of my work on Metrics for ISM3. For the time being is just a list. I have come to realize that metrics are dozen a dime. It's very easy to make up things you could measure. Far more difficult is to make up things that can trigger management decisions. So the criteria for inclusion of metrics in ISM3 v1.1 will be: - The metric can't reach a value and stay there. Example: Percentage of security policies written. This kind of metric would a project management progress metric, not a management process (versus project) metric. - The metric must help to detect abnormal conditions, or help to take decisions. - "Normal conditions" won't be pre-defined. This means that historic data of the metric must let us know what are the normal values for the metric. For example, if we now the arithmetic mean and the standard deviation, values within the AM plus minus the standard deviation will be considered "normal". I hope to reach a manageable number of meaningful metrics. - Four main categories of metrics will be used: --Activity: This metric measure how much "work products" have been produced. --Coverage: This metric measure if all defined environments or systems are being protected by the process. For example, AV could be installed in only the 50% of user PCs. --Update: This metric measure how updated or recent is the process. --Avaliability: This metric measure if there have been failures in the processes. Metrics will be defined expressing the associated action when the metric indicates abnormalities. There are four types of processes: - Management processes. - Action processes. These are continuos in time. - Triggered processes. These are performed in a as needed basis. - Prevention. These can't reach "abnormal" levels, as they prepare the organization to better perform the rest of the processes. As this is a lot of work, I expect some of you to come forward and undertake the detailed definition of a few of the processes. The rest can review the ongoing work. BTW, we have a new member, Anup Narayan has joined the ISM3 effort. My best Vicente Aceituno |