- Overview of Metrics Program
- Purpose, Approach, and Objectives
- Benefits of Using Metrics
- Metrics Types
- Data Management Concerns
- Stakeholder Interest Identification
- Goals and Objectives Definition
- Security Policies, Guidance, and Procedures Review
- System Security Program Implementation Review
- Metrics Development and Selection
- Establishing Performance Targets
- Feedback within Metrics Development Process
- Metrics Program Implementation
Security Policies, Guidance, and Procedures Review
The details of how security controls should be implemented are usually described in organization-specific policies, standards, and procedures (Phase 3 in Figure 3). These define a baseline of security practices. Specifically, they describe security control objectives and techniques that should lead to accomplishing security performance goals and objectives.
These documents should be examined during initial development. They also should be examined in future metrics development, when the initial list of metrics is exhausted and other metrics needs to replace them. The applicable documents should be reviewed to identify prescribed practices, relevant targets of performance, and detailed security controls for system operations and maintenance.