What would be good assessments of cyber resilience? I imagined something like a score on different topics e.g.:
Data Protection: HIGH RISK
Malware defense: MEDIUM RISK
Application/System Life Cycle: No RISK
Vulnerability management: EXTREM RISK
etc.
Where the risk assessment is the result of subcategories like:
1.1 Backups in place?
1.2 Data Leakage Prevention?
1.3 Assess control effective?
or
2.1 Anti virus installed everywhere?
2.2 Anti virus definitions up-to-date?
2.3 Office macros disabled?
My Question: Is there a standard for such an assessment? I looked at the ISO 27k series, the french ANSSI, the german BSI or the OWASP Project, but i could not find such a metric. These documents seem to be not technical enough to define a measurable checklist.
For example the very helpful document http://www.ssi.gouv.fr/en/guide/40-essential-measures-for-a-healthy-network/ contains 42 security measures. However, i find it difficult to create a scoring function out of it.