July 21, 2009
This page provides information on the Metrics Catalog Project that was announced at the MiniMetricon 2.5 Meeting in SanFrancisco, CA on 7 April 2008.
There are two documents on the Metrics Catalog available at this time:
- Metrics Catalog Project (this page)
- Metrics Catalog Preview
You can find more documents at the MetricsCenter website. The Metrics Catalog Project consists of three primary components:
- MetricsCenter Google Group. You can subscribe by sending a request to firstname.lastname@example.org. Along with your request to join, please provide a bit of background about yourself and your interest in the security metrics. As of June 2008, there are approximately 100 individual participating in this community.
- MetricsCenter.org website. MetricsCenter hosts the catalog. A preview site is up and running now
- Securitymetrics.org Web Site for posting news and information about the project
The following paragraphs describe each of the above.
Security Metrics Catalog Overview #
The Security Metrics Catalog is an open, public catalog for storing, organizing and sharing metrics definitions. It is one of several free services that is hosted at MetricsCenter.
The catalog is based on open source technology and is based upon a metrics management platform developed by PlexLogic, LLC.
The catalog supports the following features:
- Public Metrics Catalog: A database of structured and unstructured information that completely and unambiguously defines a metric.
- Catalog Explorer: A web UI that allows one to navigate the set of stored metric definitions
- Metric Editor: A web UI that allows one to submit a new metric definition or propose a change to an existing one.
- Metric Versioning: A function that tracks changes to metric definitions and supports a workflow that takes a metric from initial proposed inclusion in the catalog, through reviews, revisions, approval, and publication—followed by periodic updates.
- Catalog Search: Structured search via contexts and unstructured Google-like search based upon the words used to describe the metric. In addition on can edit associations between metrics and “nodes” within context hierarchies.
- Metric Rating: Users can assign a rating to a metric and the catalog will compute an overall score that is displayed as zero to five stars (like NetFlix movie ratings)
- Metric Licensing: In the event that a contributor wishes to treat the metric definition as intellectual property whose usage is governed by one of the widely-used open source licenses, this can be specified as part of the metric definition.
The Catalog contains two primary objects: Metric Defintions and Contexts.
Metric Definitions, sometimes called simply Metrics, are a collection of named attributes that are designed to provide a complete and unambiguous specification for a Metric. Ideally, these attributes could be handed to two implementers who would develop code that would yield identical results. In addition to this, the metric definition can provide guidance and use cases for the metric. This includes success stories, unexpected side effects and interjpretation of results. This is what we mean by “complete and unambiguous” specification.
Contexts are hierarchies of topics that are typically (but not necessarily) business oriented. A context can be:
- A regulation, e.g. SOX or HIPAA
- An industry requirement, e.g. PCI
- A standard, e.g. ISO 27002-5
- A best practice, e.g. ITIL or COBIT or CISWG
- A functional de-composition of a process
- Or almost anything else that is of general utility
MetricsCenter.org is the website that hosts the public Metrics Catalog. Some introductory information about the site–how to use it, what works now, what is planned, and specific requests for feedback–can be found on the Catalog Preview Page.
PlexLogic developed the software for MetricsCenter(tm) and is the founding lead for the SecurityMetrics.org Catalog Project. By contributing some of its resources to the creation and initial population of a Security Metrics Catalog, PlexLogic hopes to kick-start the process of identifying and defining a common repository of practical and useful metrics for the purposes of corporate governance, risk and compliance management.
In addition to working on the Metrics Center, PlexLogic provides additional services in the area of metrics. Visit http://www.plexlogic.com for more information. You can contact PlexLogic at