- Overview of Metrics Program
- Purpose, Approach, and Objectives
- Benefits of Using Metrics
- Metrics Types
- Data Management Concerns
- Stakeholder Interest Identification
- Goals and Objectives Definition
- Security Policies, Guidance, and Procedures Review
- System Security Program Implementation Review
- Metrics Development and Selection
- Establishing Performance Targets
- Feedback within Metrics Development Process
- Metrics Program Implementation
Overview of Metrics Program
A security metrics program within an organization should include four interdependent components, as illustrated in the figure below.
Figure 2 Components of a Metrics Program
The first component, a foundation of strong upper-level management support, is critical. It is crucial not only for the success of the security program, but also for the implementation of a security metrics program. This support establishes a focus on security within the highest levels of the organization. A solid foundation means the proactive support of persons in positions of control of security resources. Without such as foundation, the effectiveness of the security metrics program can fail when pressured by politics and budget limitations.
The proper development of a metric program requires both people with the correct skill set and funds to support the efforts. Many times upper management will ask for performance data but not realize how much work has to go into gathering this data in a quantifiable manner.
The second component of an effective program is practical security policies, standards and procedures backed by the authority to enforce compliance. Practical security policies, standards, and procedures are those that are attainable and that provide meaningful security through appropriate controls. Metrics are not easily obtainable if there are no policies, standards, and procedures in place.
The third component is developing and establishing quantifiable performance metrics that are designed to capture and provide meaningful performance data. Quantifiable security metrics must be based on security performance goals and objectives, be easily obtainable, and be feasible to measure. They must also be repeatable, provide relevant performance trends over time, and be useful for tracking performance and directing resources to the appropriate places.
Finally, the security metrics program itself must emphasize consistent and periodic analysis of the metrics data. The results of this analysis are used to apply lessons learned, improve the effectiveness of existing security controls, and plan future controls to meet new security requirements as they occur. Accurate data collection must be a priority with stakeholders and users if the collected data is to be meaningful to the management and improvement of protection of sensitive data.
The success of implementing a security metrics program should be judged by the meaningful results that are produced. A comprehensive security metrics analysis program should provide substantive justification for decisions that directly affect the security posture of an organization. These decisions include budget and personnel requests and allocation of available resources. A security metrics program also should provide a precise basis for preparation of required security performance-related reports.