- Overview of Metrics Program
- Purpose, Approach, and Objectives
- Benefits of Using Metrics
- Metrics Types
- Data Management Concerns
- Stakeholder Interest Identification
- Goals and Objectives Definition
- Security Policies, Guidance, and Procedures Review
- System Security Program Implementation Review
- Metrics Development and Selection
- Establishing Performance Targets
- Feedback within Metrics Development Process
- Metrics Program Implementation
Feedback within Metrics Development Process
The metrics that are ultimately selected for implementation will be useful not only for measuring performance, identifying causes of unsatisfactory measurements, and pinpointing improvement areas. They also will be useful for assisting in continuous policy implementation, affecting security policy changes, and redefining goals and objectives. Once the measurement of security control implementation begins, subsequent measurements can identify performance trends, and ascertain whether the rate of implementation is appropriate.
Once effectiveness and efficiency metrics are implemented, they will assist in understanding whether the security control performance goals, set in the security policies, standards and procedures, are realistic and appropriate. For example, if a security policy defines a specific password configuration, compliance with this policy could be determined by measuring the percent of passwords that are configured according to the policy. Such a measure addresses the level of security control implementation. It is assumed that configuring all passwords according to the policy will significantly reduce, if not eliminate, system compromises through broken passwords.
To measure effectiveness of the existing password policy implementation, the percentage of crackable passwords, by common password breaking tools, could be identified. This measure addresses the effectiveness of the security control as implemented. If a significant percentage of crackable passwords remain after the required password policy has been implemented, the underlying policy may be ineffective in thwarting password compromises. If so, an organization will need to consider strengthening the policy or implementing some other mitigating features. An organization will then need to determine the costs and benefits of keeping the password policy as is, tightening it, or replacing password authentication with other techniques.
Conducting cost-benefit analyses will generate business impact metrics that will address the redefining of system identification and authentication objectives, and appropriately realigning these objectives with the mission of security program.