CERT/CC just published ten Principles of Survivability and Information Assurance. They are:
1. Survivability is an enterprise-wide concern.
2. Everything is data.
3. Not all data is of equal value to the enterprise – risk must be managed.
4. Information assurance policy governs actions.
5. Identification of users, computer systems, and network infrastructure components is critical.
6. Survivable Functional Units (SFUs) are a helpful way to think about an enterprise’s networks.
7. Security Knowledge in Practice (SKiP) provides a structured approach.
8. The road map guides implementation choices (all technology is not equal).
9. Challenge assumptions to understand risk. (Think like an intruder.)
10. Communication skill is critical to reach all constituencies.
Some of these principles are backed up by their own papers or CERT practices. They are a good starting point to measure an organization's overall security posture.