Home > Articles > Other IT Certifications > CISSP

  • Print
  • + Share This
From the author of

From the author of

Requirements

Requirements

Some security metrics monitor measurable data that may be difficult to obtain. Metrics must use easily obtainable data to ensure that the burden of measurement on an organization does not absorb too many resources. Only processes that can be consistent, repeatable, and measurable should be considered for measurement.

At this point some processes within the security program may not be consistent and repeatable enough to be properly measured. In many cases it is critical to first get processes defined and matured and then measure their success factors.

To track performance and assist in directing resources, metrics must provide relevant performance trends over time and point to actions aimed at alleviating problems. Management should use metrics to assess performance by reviewing metrics trends, identifying and prioritizing corrective actions, and directing the application of those corrective actions based on risk mitigation factors and available resources.

The metrics development process ensures that metrics are developed for identifying causes of poor performance. They therefore point to appropriate corrective actions; accomplishment of goals and objectives by quantifying implementation of the security controls and the effectiveness and efficiency of the controls, analyzing the adequacy of security activities, and identifying possible improvement actions.

Security metrics must yield quantifiable information for comparison, apply formulas for analysis, and track changes using the same points of reference. Percentages or averages are most common, although absolute numbers are sometimes useful, depending on the activity that is being measured.

  • + Share This
  • 🔖 Save To Your Account