Record Detail Back
Security Metrics Guide for Information Technology Systems
- Share to:
The requirement to measure IT security performance is driven by regulatory, financial, and
organizational reasons. A number of existing laws, rules, and regulations cite IT performance
measurement in general, and IT security performance measurement in particular, as a
requirement. These laws include the Clinger-Cohen Act, Government Performance and Results
Act (GPRA), Government Paperwork Elimination Act (GPEA), and Federal Information
Security Management Act (FISMA).
This document provides guidance on how an organization, through the use of metrics, identifies
the adequacy of in-place security controls, policies, and procedures. It provides an approach to
help management decide where to invest in additional security protection resources or identify
and evaluate nonproductive controls. It explains the metric development and implementation
process and how it can also be used to adequately justify security control investments. The
results of an effective metric program can provide useful data for directing the allocation of
information security resources and should simplify the preparation of performance-related
reports.
Metrics are tools designed to facilitate decision making and improve performance and
accountability through collection, analysis, and reporting of relevant performance-related data.
IT security metrics must be based on IT security performance goals and objectives. IT security
performance goals state the desired results of a system security program implementation. IT
security performance objectives enable accomplishment of goals by identifying practices defined
by security policies and procedures that direct consistent implementation of security controls
across the organization. IT security metrics monitor the accomplishment of the goals and
objectives by quantifying the level of implementation of the security controls and the
effectiveness and efficiency of the controls, analyzing the adequacy of security activities and
identifying possible improvement actions. This document provides examples of metrics based on
the critical elements and security controls and techniques contained in NIST Special Publication
800-26, Security Self-Assessment Guide for Information Technology Systems. During metrics
development, goals and objectives from federal, interna l, and external guidance, legislation, and
regulations are identified and prioritized to ensure that the measurable aspects of security
performance correspond to operational priorities of the organization.
The following matters must be considered during development and implementation of IT
security metrics program:
· Metrics must yield quantifiable information (percentages, averages, and numbers)
· Data supporting metrics needs to be readily obtainable
· Only repeatable processes should be considered for measurement
· Metrics must be useful for tracking performance and directing resources.
viii
Metrics development process, described in this document, ensures that the metrics are developed
with the purpose of identifying causes of poor performance and therefore point to appropriate
corrective actions.
Organizations can develop and collect metrics of three types:
· Implementation metrics to measure implementation of security policy
· Effectiveness/efficiency metrics to measure results of security services delivery
· Impact metrics to measure business or mission impact of security events.
The types of metrics that can realistically be obtained and that can also be useful for performance
improvement depend on the maturity of the agency’s security program and the system’s security
control implementation. Although different types of metrics can be used simultaneously, the
primary focus of IT security metrics shifts as the implementation of security controls matures
NONE
Management
English
LOADING LIST...
LOADING LIST...