Mesurer la sécurité – Security measures

Voici quelques références qui aident dans les mesures en sécurité informatique.

Refs related to the measurement of security (KPIs, KRIs, KCIs)

1. NIST SP800-55: Perf. Measurement Guide for Infosec (see Appendix A for examples)
2. NIST SP800-53: Assessing Security Controls, Building Effective Security Assessment Plans
3. NIST SP800-40: Section 3 – Security Metrics for Patch & Vulnerability Mgmt
4. NIST Maturity Levels: High-level security program maturity
5. ISO 27004:2009:  IT Security Techniques – Infosec Mgmt – Measurement – top-down & bottom-up approach to security metrics, in line with other 27K standards
6. ISO 21827:2008: IT Security techniques – Systems Security Engineering- Capability Maturity Model (SSE-CMM)
7. Security Metrics: Replacing Fear, Uncertainty and doubt book
8. DOD’s Measuring Security:  published in 2009, compares NIST, ISO, ISACA… refers to other sources:

• NIST and ISO guidelines/standards mentioned above
• ISACA’s Developing metrics for effective Infosec Governance
• ISACA’s How can security be measured?
• securitymetrics.org‘s Metrics Catalog – eventually takes you to https://www.metricscenter.net/