Security Metrics -- Measuring a firm's security

[odinfire]

Greetings all!

I am looking for someone out there who may have some ideas, or a template, on some measurables that can be quantified for the security audit of an organization. Some examples of the metrics I had in mind include:
1) Patch Level - How many users are patched?
2) Password Compliance - Are users adhering to policy?
3) User Installed software - Inapproriate rights for users?
If anyone can provide, or point me in the right direction, information on this topic I would be much obliged.

Regards,

Odin

 

[SF18C]

Were I work we use a product from Internet Security Systems called ISS7, their site is at

http://www.iss.net/

Pretty good tool, it will do everything you are asking for and tons more. But do check the price, I have no idea what this thing costs but I'm sure it is a bundle.

SF18C
CCNP, MCSE, A+, N+ & HPCC

"Tis better to die on your feet than live on your knees!"

 

[Robnhood]

I use Nessus Security Scanner to verify that systems are patched against known vulnerabilities.

Available at

http://www.Nessus.org

, but it requires a linux system to use it.

For Microsoft Systems, You can use Microsoft baseline security Analyzer. It will give you a starting place on Microsoft Systems

available here

http://www.microsoft.com/downloads/...0d-0c91-45b7-91ba-fc47f7c3d6ad&DisplayLang=en

Craig

http://www.SecurelySpeaking.com