Information Gathering -> Monitoring: Coverage and control metrics
Risk and Opportunity
Risk: The effectiveness of configuration, patch and vulnerablity management is unknown.
Opportunity: Usage of Coverage- and control-metrics to show the effectivness of the security programm. Coverage is the degree in
which a specific security control for a specifc target group is applied with all resoucres.
The control degree shows the actual application of security standards and security-guidelines. Examples are gathering information on anti-virus, anti-rootkits, patch management, server configuration and vulnerability management.
Required knowledge: Medium (two disciplines)
Required time: Very High
Required resources (systems): Low
Dependencies: Visualized metrics
Implementation hints: https://ht.transparencytoolkit.org/FileServer/FileServer/OLD%20Fileserver/books/SICUREZZA/Addison.Wesley.Security.Metrics.Mar.2007.pdf
OWASP SAMM 2 Mapping: o-incident-management|A|2