Home > Articles > Other IT Certifications > CISSP

  • Print
  • + Share This
From the author of

From the author of

System Security Program Implementation Review

System Security Program Implementation Review

In Phase 4 of the metrics development process illustrated in Figure 3, a review should take place of any existing metrics and data repositories that can be used to derive metrics data. Following the review, applicable information should be extracted and used to identify appropriate implementation evidence that will support metrics development and data collection.

Implementation evidence points to aspects of security controls that would indicate the security performance objective is being met, or at least that actions leading to the accomplishment of the performance objective in the future are being performed. The security requirements, processes, and procedures that have been implemented can be extracted by consulting multiple sources, including documents and interviews and through observation.

If metric data does not have associated implementation evidence identified and documented, it should not be fully trusted. For metrics to be quantified, they need to not only be represented numerically but not be subjective in nature.

  • + Share This
  • 🔖 Save To Your Account