Fork me on GitHub

InformationGathering -> Monitoring: Coverage and control metrics

Risk and Opportunity

Risk: The effectiveness of configuration, patch and vulnerability management is unknown.
Opportunity: Usage of Coverage- and control-metrics to show the effectiveness of the security program. Coverage is the degree in which a specific security control for a specific target group is applied with all resources. The control degree shows the actual application of security standards and security-guidelines. Examples are gathering information on anti-virus, anti-rootkits, patch management, server configuration and vulnerability management.

Usefulness and Requirements of this Activitiy

Usefullness: High
Required knowledge: Medium (two disciplines)
Required time: Very High
Required resources (systems): Low

Additional Information

Dependencies: Visualized metrics
Implementation hints:

OWASP SAMM VERSION 2

ISO27001 2017