- Overview of Metrics Program
- Purpose, Approach, and Objectives
- Benefits of Using Metrics
- Metrics Types
- Data Management Concerns
- Stakeholder Interest Identification
- Goals and Objectives Definition
- Security Policies, Guidance, and Procedures Review
- System Security Program Implementation Review
- Metrics Development and Selection
- Establishing Performance Targets
- Feedback within Metrics Development Process
- Metrics Program Implementation
System Security Program Implementation Review
In Phase 4 of the metrics development process illustrated in Figure 3, a review should take place of any existing metrics and data repositories that can be used to derive metrics data. Following the review, applicable information should be extracted and used to identify appropriate implementation evidence that will support metrics development and data collection.
Implementation evidence points to aspects of security controls that would indicate the security performance objective is being met, or at least that actions leading to the accomplishment of the performance objective in the future are being performed. The security requirements, processes, and procedures that have been implemented can be extracted by consulting multiple sources, including documents and interviews and through observation.
If metric data does not have associated implementation evidence identified and documented, it should not be fully trusted. For metrics to be quantified, they need to not only be represented numerically but not be subjective in nature.