- Overview of Metrics Program
- Purpose, Approach, and Objectives
- Benefits of Using Metrics
- Metrics Types
- Data Management Concerns
- Stakeholder Interest Identification
- Goals and Objectives Definition
- Security Policies, Guidance, and Procedures Review
- System Security Program Implementation Review
- Metrics Development and Selection
- Establishing Performance Targets
- Feedback within Metrics Development Process
- Metrics Program Implementation
Metrics Development and Selection
Phases 5, 6, and 7 in Figure 3 pertain to development of metrics that measure process implementation, effectiveness and efficiency, and mission impact. Implementation evidence, required to prove higher levels of effectiveness, will change from establishing the existence of policies, standards and procedures, to quantifying implementation of these policies, standards and procedures, to quantifying the results from implementation of policies, standards and procedures, and ultimately to identifying impact of implementation on the organization’s mission.
The universe of possible metrics, based on existing policies, standards and procedures, will be quite large. Metrics must be prioritized to ensure that the final set selected for initial implementation has the following qualities:
- The metrics assist improvement of high-priority security control implementation. High priority may be defined by the latest results of risk assessments or an internal organizational goal.
- They use data that can realistically be obtained from existing processes and data repositories.
- They measure processes that already exist and are relatively stable.
Measuring nonexistent or unstable processes will not provide meaningful information about security performance. Therefore, such measurements will not be useful for targeting specific aspects of performance.
A phased approach is required to identify short-, mid-, and long-term metrics. In a phased approach, the implementation time frame depends on a combination of system-level effectiveness, priority of the metrics, data availability, and process stability. Once applicable metrics that contain the qualities described above are identified, they will need to be documented in the implementation plan.