How Colorado's CISO is revamping the state's information security -- on a $6,000 budget

By , CSO |  Security

We put together a scorecard, a security-metrics scorecard. It includes tracking the percentage of our systems that are under management. The way we define that is basically from a central location, the number of systems that I can view and observe their current risk and security status within a 48-hour period.

[Also read Information security, value creation and the balanced scorecard]

Other metrics include the percentage of critical or high vulnerabilities per every host. We are also looking at the number of successful malware infections and the number of computers that we have to reimage because of that. That number should really go down.

Those are our outcomes-based measures. We have other input-based measure we are looking at, too. They include number of hours per staff activity. The idea is the more we get things under control, the less time our staff should be spending on reactive-type issues. We should have a much less running around, putting out fires in the day.

The other thing is mean time to resolve an incident. We are looking for that to go down significantly as well.


Originally published on CSO |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question