Status: Live
The organization will report on the the average time elapsed between vulnerability or weakness discovery and implementation of corrective action. [UCF ID 02140]
Metric guidance
Calculation: The calculation for this metric is The date of vulnerability or weakness discovery + the date the vulnerability or weaknesses was corrected.
Calculation source: The authority document source of information is NIST 800-55, Critical Element 2.2. The following formula was used: the sum of the number of weaknesses closed in 30 days, 60 days, 90 days, 180 days, and 1 year divided by the total number of weaknesses closed in the last year for each business unit (or the organization as a whole) .
The Common Control IDs associated with this metric are as follows:
- • Safeguard selection and prioritization in light of risk assessment findings [UCF Control ID 00707]
• Risk action plan in light of risk assessment findings [UCF Control ID 00705]
Supporting and supported controls
This control directly supports:
- • Establish and maintain an incident management and vulnerability detection and response metrics management program [UCF Control ID 02085]
There are no supporting controls.
Authority documents complied with:
Security Metrics Guide for Information Technology Systems, NIST SP 800-55, July 2003, § A.2.2.1; Performance Measurement Guide for Information Security, NIST 800-55 Rev. 1, Revision 1, App A Measure 16
NIST Guidance
This metric must be calculated using (# of weaknesses x 30 + # of weaknesses x 60 + # of weaknesses x 90 + # of weaknesses x 180 + # of weaknesses x 365) / # of total weaknesses closed.
Information Source: Use the total number of weaknesses closed in the last year for each business unit (or the organization as a whole) as the base number divided by the sum of the number of weaknesses closed in 30 days, 60 days, 90 days, 180 days, and 1 year. [§ A.2.2.1, Security Metrics Guide for Information Technology Systems, NIST SP 800-55, July 2003]
The calculation for this metric should be stated as the # of vulnerabilities corrected / # of vulnerabilities identified during vulnerability scans. Use the total number of vulnerabilities discovered during the vulnerability scans for each business unit (or the organization as a whole) as the base number divided by the number of vulnerabilities that were corrected within the specified time period. [App A Measure 16, Performance Measurement Guide for Information Security, NIST 800-55 Rev. 1, Revision 1]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.
