Information security indicators
In information technology, benchmarking of computer security requires measurements for comparing both different IT systems and single IT systems in dedicated situations. The technical approach is a pre-defined catalog of security events (security incident and vulnerability) together with corresponding formula for the calculation of security indicators that are accepted and comprehensive.
Information security indicators have been standardized by the ETSI Industrial Specification Group (ISG) ISI. These indicators provide the basis to switch from a qualitative to a quantitative culture in IT Security Scope of measurements: External and internal threats (attempt and success), user's deviant behaviours, nonconformities and/or vulnerabilities (software, configuration, behavioural, general security framework).
The list of Information Security Indicators belongs to the ISI framework that consists of the following eight closely linked Work Items:
- ISI Indicators (ISI-001-1 and Guide ISI-001-2): A powerful way to assess security controls level of enforcement and effectiveness (+ benchmarking)
- ISI Event Model (ISI-002): A comprehensive security event classification model (taxonomy + representation)
- ISI Maturity (ISI-003): Necessary to assess the maturity level regarding overall SIEM capabilities (technology/people/process) and to weigh event detection results. Methodology complemented by ISI-005 (which is a more detailed and case by case approach)
- ISI Guidelines for event detection implementation (ISI-004): Demonstrate through examples how to produce indicators and how to detect the related events with various means and methods (with classification of use cases/symptoms)
- ISI Event Stimulation (ISI-005): Propose a way to produce security events and to test the effectiveness of existing detection means (for major types of events)
- An ISI-compliant Measurement and Event Management Architecture for Cyber Security and Safety (ISI-006, in preparation): This work item focuses on designing a cybersecurity language to model threat intelligence information and enable detection tools interoperability.
- ISI Guidelines for building and operating a secured SOC (ISI-007, in preparation): A set of requirements to build and operate a secured SOC (Security Operations Center) addressing technical, human and process aspects.
- ISI Description of a whole organization-wide SIEM approach (ISI-008, in preparation): A whole SIEM (CERT/SOC based) approach positioning all ISI aspects and specifications.
Preliminary work on information security indicators have been done by the French Club R2GS. The first public set of the ISI standards (security indicators list and event model) have been released in April 2013.
- ETSI GS ISI 001-1 (V1.1.2): ISI Indicators Part 1; A full set of operational indicators for organizations to use to benchmark their security posture (2015-06) 
- ETSI GS ISI 001-2 (V1.1.2): ISI Indicators Part 2; Guide to select operational indicators based on the full set given in part 1 (2015-06) 
- ETSI GS ISI 002 (V1.2.1): ISI Event Model; A security event classification model and taxonomy (2015-11) 
- ETSI GS ISI 003 (V1.2.1): ISI Key Performance Security Indicators (KPSI) to evaluate the maturity of security event detection (2018-01) 
- ETSI GS ISI 004 (V1.1.1): ISI Guidelines for event detection implementation (2013-12) 
- ETSI GS ISI 005 (V1.1.1): ISI Guidelines for security event detection testing and assessmeent of detection effectiveness (2015-11)