Dark Reading seems to be an advertising site. Every time I read an article there it feels more like a vendor press release than anything insightful or balanced. That being said, I have not found mention of this anywhere else (yet):

The first set of metrics that the CIS will release tomorrow for download are: mean time between security incidents; mean time to recover from security incidents; percentage of systems configured to approved standards; percentage of systems patched to policy; percentage of systems with anti-virus; percentage of business applications that had a risk assessment; percentage of business applications that had a penetration or vulnerability assessment; and percentage of application code that had a security assessment, threat model analysis, or code review prior to production deployment.

This would be a very useful set of data, indeed. In fact, it mirrors a set of questions I proposed for the survey at the Protect ’08 conference in Washington DC. My questions were not chosen for the survey, unfortunately, or they would have coincided with this CIS press release. Oh well.

A universal grading system is a bit pie-in-the-sky for me. How many schools have how many interpretations of grading after how many years and yet CIS believes they will crack the code of a common security grading system?