wmunyan
commented
5 years ago NOTE: Proposal very similar to 5.1, but for network devices and not software.
Inputs:
- The list of authorized network devices, per Control 1.
- The list of enterprise security configuration standards.
Assumption:
- Documentation of secure configuration standards should include any approved deviations/exceptions from industry-standard security baselines such as CIS benchmarks, DISA Security Technical Implementation Guides (STIGs), or U.S. government configuration baselines (USGCB).
Operations:
- Perform a set calculation, computing the Intersection (M1) of Input 1 and Input 2
Measures:
- M1 = The intersection of Input 1 and Input 2. This intersection measures those authorized network devices with security configuration standards.
- M2 = The "left" side of the set calculation measures the number of authorized network devices without security configuration standards.
- M3 = The "right" side of the set calculation measures the number of security configuration standards without any authorized network devices to which they are associated.
- M4 = The number of authorized network devices.
Metrics:
- Coverage = (M4 - M2) / M4
Maintain standard, documented security configuration standards for all authorized network devices.
Measures
Metrics