[Owasp-cmm] Owasp-cmm Digest, Vol 3, Issue 5
Kimberley Laris
kimberley.laris at onebox.com
Tue Oct 28 13:42:22 EDT 2008
For examples to emulate in building business value into the metrics:
1) ISACA's COBIT was intentionally aligned to consider business risks and
value. This document shows a cross-referencing to ITIL (which also considers
business value) and ISO 17799/27002 for a holistic view of the framework:
http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/ContentManagement
/ContentDisplay.cfm&ContentID=22493
2) The Maturity Model structure in COBIT (a 0-5 model) has proved to be very
effective for many years for independent consulting evaluations and
self-assessments (I know a CIO who used it for goal setting and measurement
for annual performance evaluation; and to keep the whole department with
diverse platforms focused on the same communicated roadmap of improvement).
It is based on SEI's CMM, and the language tends to communicate well for
both IT and business roles. The measurements work well enough, that
companies input their status to obtain an idea of how they are doing
compared to others in the same industry. (i.e., a level 2 might not be too
bad if everyone around you is averaging a level 1-.)
The same 0-5 structure could be used by OWASP at a top level, and/or at a
tactical level. Each key factor provides descriptions of what makes for a
0-5 rating, and users can self-judge the fairest evaluation due to
verifiable characteristics listed for each rank - which can be flexible
(i.e., I've seen 3+ or 2- ratings). Figure 15 at
http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/ContentManagement
/ContentDisplay.cfm&ContentID=22493 provides a high level view of the
maturity ratings, which have a detailed rating for all COBIT IT management
areas. For an example, see
Acquire and Maintain Application Software page 80 and metrics for this
process on the end of page 77 in the main COBIT 4.1 (a very large document
to download):
http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders/COBIT6/Obtai
n_COBIT/Obtain_COBIT.htm . Developing useful measurements should be much
simpler for OWASP, as achievement can be technically tested and demonstrated
for effectiveness levels.
Kimberley
Kimberley Laris CIA, CISA, CISSP, QSA-PCI
Positive Assurance+
School never ends. - Quinland, 2000
-----Original Message-----
From: owasp-cmm-bounces at lists.owasp.org
[mailto:owasp-cmm-bounces at lists.owasp.org] On Behalf Of
owasp-cmm-request at lists.owasp.org
Sent: Tuesday, October 28, 2008 12:00 PM
To: owasp-cmm at lists.owasp.org
Subject: Owasp-cmm Digest, Vol 3, Issue 5
Send Owasp-cmm mailing list submissions to
owasp-cmm at lists.owasp.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.owasp.org/mailman/listinfo/owasp-cmm
or, via email, send a message with subject or body 'help' to
owasp-cmm-request at lists.owasp.org
You can reach the person managing the list at
owasp-cmm-owner at lists.owasp.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Owasp-cmm digest..."
Today's Topics:
1. Feedback Requested: OWASP SAMM (james at architectbook.com)
2. Metrics (james at architectbook.com)
----------------------------------------------------------------------
Message: 1
Date: Tue, 28 Oct 2008 05:22:32 -0700
From: james at architectbook.com
Subject: [Owasp-cmm] Feedback Requested: OWASP SAMM
To: owasp-cmm at lists.owasp.org
Message-ID:
<20081028052231.1b34e4c3b93181cbb56b6df77bbedd57.ff29b34f18.wbe at email.secure
server.net>
Content-Type: text/plain; charset="us-ascii"
An HTML attachment was scrubbed...
URL:
https://lists.owasp.org/pipermail/owasp-cmm/attachments/20081028/e9618060/at
tachment-0001.html
------------------------------
Message: 2
Date: Tue, 28 Oct 2008 07:30:00 -0700
From: james at architectbook.com
Subject: [Owasp-cmm] Metrics
To: owasp-cmm at lists.owasp.org
Message-ID:
<20081028052746.1b34e4c3b93181cbb56b6df77bbedd57.2e6cae2b6d.wbe at email.secure
server.net>
Content-Type: text/plain; charset="us-ascii"
An HTML attachment was scrubbed...
URL:
https://lists.owasp.org/pipermail/owasp-cmm/attachments/20081028/e5e3d797/at
tachment-0001.html
------------------------------
_______________________________________________
Owasp-cmm mailing list
Owasp-cmm at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-cmm
End of Owasp-cmm Digest, Vol 3, Issue 5
***************************************
More information about the Owasp-cmm
mailing list