ClearPoint Metrics

Measure, Share, Compare.
CatalogFISMA

FISMA version 1.0

Scorecard Audience Description
Access Control Policies Risk Management

This scorecard assesses how well the organization adheres to access control policies relating to account provisioning and deprovisioning. This assessment uncovers areas in need of improvement in the account provisioning and deprovisioning process and in organizational guidelines.
Account Management Risk Management

This scorecard describes how well the organization manages user accounts. It examines the following indicators: trend in the number of active accounts by account type, trend in the number of active idle accounts that never expire, and the trend in the number of pending account provision and deprovision requests.
Alert Events Risk Management

This scorecard examines the volume and severity of alerts triggered by sensors from a Network Intrusion Prevention System (NIPS) or Network Intrusion Detection System (NIDS). The top 5 most active sensors are also displayed. This information allows the organization to assess the threats identified by the NIPS system and determine if changes to the NIPS or Firewall configuration are required.
Antivirus Coverage Risk Management

This scorecard examines the coverage of assets monitored by an anti-virus system. It displays statistics on the number of days since last signature update and volume of signatures updated within policy. This information allows the organization to determine its threat exposure associated with assets without an antivirus system agent or using old signatures.
Asset Risk Assessment Risk Management

The Asset Risk Assessment scorecard examines risk exposure. This scorecard focuses on the following indicators for high-value assets: percentage by secure location, percentage of technical vulnerabilities, and the overall risk score.
Awareness Training Risk Management

This scorecard examines how well the organization provides security awareness training. It examines the following indicators: coverage of users undergoing awareness training, number of users that have completed awareness training, mean time since the user went through training, and number of security incidents to correlate the effectiveness of training.
Business Coitinuity Planning Risk Management

The Business Continuity Planning scorecard examines the effectiveness of the organization's continuity plan. This scorecard evaluates the number of high value assets within the organization, the percentage covered by the business continuity plan, the number of unplanned outages, and the total downtime.
Configuration Management Risk Management

This scorecard examines the number of configuration changes, statistics on the time to complete configuration changes, and the percentage of changes that underwent control policies.
Data in Use Risk Management

This scorecard examines the management of data in use. It examines the location of data and authorization of users to copy data. This information demonstrates the organization's awareness of sensitive data and confirms the emplacement of controls to ensure that data cannot be inadvertently copied to unauthorized devices.
Disaster Recovery Risk Management

The Disaster Recovery scorecard examines the organization's ability to recovery from a disaster. This scorecard evaluates the mean time to recovery, the mean time between failures, and performance relative to the recovery time objective and recovery point objective.
Firewall Activity Risk Management

This scorecard examines the firewall coverage of assets and networks. It also displays the volume of inbound and outbound denied traffic. This information allows the organization to determine the effectiveness of the firewall configuration and network deployment.
HIPS Agent Management Risk Management

This scorecard examines the current state of deployed Host Intrusion Prevent System (HIPS) agents. This information allows the organization to assess how well it maintains and updates these agents to ensure that assets are protected.
Host Vulnerability Risk Management

This scorecard reports on the distribution of vulnerabilities across hosts. It examines the percentage of hosts in which vulnerabilities were identified and lists the hosts with the highest vulnerability scores. Vulnerability scores are calculated by weighing the number of identified vulnerabilities by their impact rating. These metrics identify concentrations of risk among asset groups and track overall host vulnerability.
Incident Response Risk Management

This scorecard examines the volume of resolved security incidents and the amount of time needed to resolve them. It examines the volume of incidents closed within open-to-close and start-to-close Service Level Agreements. This information allows the organization to assess its incident response process and identify areas for improvement.
Intrusion Detection System Coverage Risk Management

This scorecard examines the coverage of assets and networks under management by a Network Intrusion Detection System (NIDS) or a Network Intrusion Prevention System (NIPS). The volume of signatures updated within policy and statistics on the number of days since last update are also presented. This information allows the organization to assess its risk associated with assets and networks not covered by an Intrusion Detection System as well as its risk associated with lax signature updates.
Login Activity Risk Management

This scorecard provides security metrics relating to account login activity, including successful logins, failed logins, and statistics on time between login failures.
Media Encryption Risk Management

This scorecard examines the management of data at rest. It examines the encryption coverage of devices and data retention rates. High percentages of devices exempt from encryption policy or devices not fully encrypted increase the organization's exposure to data leakage. Likewise, a long retention rate indicates that organizations need to ensure that policies, processes, and procedures safeguard data during the entire retention period.
Media Sanitization Risk Management

This scorecard examines the management of devices containing sensitive data. It examines adherence to device decommission policies and removable media. This information allows the organization to determine if appropriate measures have been taken to safeguard devices that have a greater probability of being compromised. An organization can also use this scorecard to determine its exposure and forecast the likelihood of data breaches involving its devices.
Media Storage Risk Management

This scorecard examines the management of data at rest. It examines the encryption coverage of devices and data retention rates. High percentages of devices exempt from encryption policy or devices not fully encrypted increase the organization's exposure to data leakage. Likewise, a long retention rate indicates that organizations need to ensure that policies, processes, and procedures safeguard data during the entire retention period.
Outage Incidents Risk Management

The Outage Incidents scorecard examines system outages and recovery. This scorecard evaluates the number of outages, the total downtime, the percentage of outages that were recovered from within policy, and the mean number of days between outages.
Password Management Risk Management

This scorecard focuses on the following indicators: percentage of synchronized accounts, percentage of accounts with passwords, frequency that passwords are changed, percentage of weak passwords.
Patch Configuration Risk Management

This scorecard focuses on the following indicators: the total number of assets under management, the number of devices in which a configuration policy has been applied, percentage of assets patched to policy, and the number of open tickets related to patch management.
Personnel Termination Risk Management

The Personnel Termination scorecard examines the organization's exposure resulting from the termination of personnel. This scorecard focuses on the following indicators: the number of terminated employees, the percentage of terminated employees who returned all organizational assets, and percentage of accounts belonging to terminated employees deprovisioned within policy.
Scan Configuration

The Scan Configuration scorecard examines compliance to vulnerability scanning policies. This scorecard measures the average time elapsed since the last scan and determines the number of hosts that were scanned within the policy.
Scan Coverage Risk Management

This scoreard assesses how well the organization covers its assets with its Vulnerability and Patching systems.
Security Coverage Risk Management

The Security Coverage displays the coverage of the antiviurs, intrusion detection, vulnerability management, and disk encryption systems.
System Resiliency Risk Management

The System Resiliency scorecard examines the resiliency of mission critical assets within the organization. This scorecard evaluates the success rate of backups and the effectiveness of failover and failback operations.
Third Party Access Control Policies Risk Management

This scorecard assesses how well the organization adheres to access control policies relating to account provisioning and deprovisioning for third party access to the network. This assessment uncovers areas in need of improvement in the account provisioning and deprovisioning process and in organizational guidelines.
Virus Protection Risk Management

This scorecard examines the volume of virus events that were detected and successfully remediated by an automated anti-virus system. In contrast, the volume of virus events successfully remediated by manual processes is also shown. Information provided allows the organization to assess how effectitive it is at preventing virus outbreaks and to examine the efficiencies gained by improving automatic remediation through reducing DAT file update latency.
Vulnerability Management Risk Management

This scorecard provides detailed information about identiefied vulnerabilities. The current volume of, and trend in the volume of, vulnerabilities are displayed by impact and type. This scorecard also lists the top 10 vulnerabilities as measured by the greatest number of incidents during the reporting period. This information allows the organization to assess the severity and type of vulnerabilities encountered.

Do it...

Contact Us

Tell me...

What am I looking at?

How do I use this page?


Community content licensed under Creative Commons :: Privacy Policy :: Terms of Use :: Contact Us

ABOUT SSL CERTIFICATES

8 New England Executive Park, 3rd Floor | Suite 390, Burlington MA 01803 | Main Number 617-456-1900
ClearPoint is the IT security measurement Company for Governance, Compliance and Risk
Copyright © 2005-2010 ClearPoint Metrics. Inc. All rights reserved