Current State of Security Metrics ◾ 51
management and IT security metrics primarily using a version of the Capability
Maturity Model (CMM). e prevailing commercial standards include
ISO/IEC 27001:2005 Information Security Standard ◾
ISO/IEC 17799:2005 Code of Security Practice ◾
ISO/PAS 28000:2005 Specification for security management systems for ◾
global supply chains
CobiT ◾
ISMS ◾
3.5.6 OCTAVE
Developed by the Carnegie Mellon Software Engineering Institute, the
Operationally Critical reat, Asset, and Vulnerability Evaluation (OCTAVE) cri-
teria define a standard approach for an operational risk-driven, asset- and practice-
based information security evaluation. It uses a three-phase approach to examine
organizational and technolog ...