adammontville / cis-controls-71-measures

0 stars 0 forks source link

Subcontrol 7.3 #84

Open adammontville opened 5 years ago

adammontville commented 5 years ago

Ensure that only authorized scripting languages are able to run in all web browsers and email clients.

Measures

M1 = # of scripts allowed to run
M2 = # of authorized scripts

Metrics

Enforcement Quality = (M1 intersect M2) / M2
Error-rate = (M1 - (M1 intersect M2)) / M2
apiperCIS commented 5 years ago

Inputs 1) List of web browsers and email clients installed in the organization by endpoint (subset of Integrated Hardware/Software Inventory from Sub-Control 2.5) 2) Approved configuration(s) covering each web browser and email client in Input 1 to restrict the scripting languages that can run to only the authorized scripting languages

Operations 1) For each application instance (web browser or email client) in Input 1, check the application's configuration against the appropriate approved configuration(s) from Input 2. Create a list of the application instances that meet the approved configuration (M1) and a list of the application instances that that do not meet the approved configuration (M2) noting each deviation.

Measures M1: List of application instances (web browser or email client) that meet the approved configuration (compliant list) M2: List of application instances (web browser or email client) that do not meet the approved configuration (non-compliant list) M3: Count of compliant application instances (count of M1) M4: Count of non-compliant application instances (count of M2) M5: Total count of installed web browser and email client instances (count of Input 1)

Metrics Ratio of compliant web browser and email client instances: M3 / M5