Status: Live
The organization will report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. [UCF ID 02129]
Metric guidance
Calculation: The calculation for this metric is # of vulnerability assessment findings that have been addressed since the last reporting period / # of vulnerability assessment findings.
Calculation source: No authority document source of information exists. The following formula was used: the number of vulnerabilities that have been assigned actions to help mitigate the risks associated with the vulnerability divided by the number of identified vulnerabilities from the last vulnerability report .
The Common Control IDs associated with this metric are as follows:
- • Safeguard selection and prioritization in light of risk assessment findings [UCF Control ID 00707]
• Risk action plan in light of risk assessment findings [UCF Control ID 00705]
Supporting and supported controls
This control directly supports:
- • Establish and maintain an incident management and vulnerability detection and response metrics management program [UCF Control ID 02085]
There are no supporting controls.
Authority documents complied with:
CISWG Information Security Program Elements, January 10,2005, ISPE29.6; Performance Measurement Guide for Information Security, NIST 800-55 Rev. 1, Revision 1, App A Measure 2; Guide for Developing Performance Metrics for Information Security, NIST SP 800-80, Table 18
US Federal Security Guidance
The organization must measure and report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. [ISPE29.6, CISWG Information Security Program Elements, January 10,2005]
NIST Guidance
The calculation for this metric should be stated as the # of identified vulnerabilities that have been corrected in the targeted time frame / # of vulnerabilities identified during the reporting period. Use the number of vulnerabilities identified during the reporting period as the base number divided by the number of identified vulnerabilities that have been corrected within the defined time period. [App A Measure 2, Performance Measurement Guide for Information Security, NIST 800-55 Rev. 1, Revision 1]
This metric must be calculated using # of vulnerability assessment findings that have been addressed since the last reporting period / # of vulnerability assessment findings [Table 18, Guide for Developing Performance Metrics for Information Security, NIST SP 800-80]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.