[ISN] How to measure security? NIST maps out the emerging field of IT metrology

From: InfoSec News <alerts_at_private>
Date: Fri, 11 Sep 2009 03:22:43 -0500 (CDT)
http://gcn.com/articles/2009/09/14/update-1-security-metrics-lacking-for-it-systems.aspx

By William Jackson
GCN.com
Sept. 10, 2009

Information technology security is a hot topic, but attention usually 
focuses on the lack of it. What is missing is an objective, quantifiable 
way to effectively measure it.

"Security can be looked at in different ways by different people,” "aid 
Wayne Jansen, a computer scientist at the National Institute of 
Standards and Technology's IT boratory. There is quality control for 
code developers, the process of deploying a system, and its maintenance 
by users. "ese are all different aspects,” " they do not lend themselves 
to traditional methods of measurement used in physical science, he said.

Jansen has examined the status of efforts to develop security metrics, 
identified challenges and suggested a course for future research in a 
recent NIST report, "Directions in Security Metrics Research."

There have been a number of efforts to establish metric systems for 
security, including the international Common Criteria, the Defense 
Department's usted Computer System Evaluation Criteria, the European 
Communities' formation Technology Security Evaluation Criteria, and the 
International Systems Security Engineering Association's systems 
Security Engineering Capability Maturity Model.

[...]


________________________________________
Please Donate to the Ron Santo Walk to 
Cure Diabetes with Ethan's Crew!
http://www.c4i.org/ethan.html
Received on Fri Sep 11 2009 - 01:22:43 PDT

This archive was generated by hypermail 2.2.0 : Fri Sep 11 2009 - 01:36:42 PDT