- Overview of Metrics Program
- Purpose, Approach, and Objectives
- Benefits of Using Metrics
- Metrics Types
- Data Management Concerns
- Stakeholder Interest Identification
- Goals and Objectives Definition
- Security Policies, Guidance, and Procedures Review
- System Security Program Implementation Review
- Metrics Development and Selection
- Establishing Performance Targets
- Feedback within Metrics Development Process
- Metrics Program Implementation
Data Management Concerns
The importance of standardizing reporting processes cannot be overemphasized. To ascertain the quality and validity of data, data collection methods and data repositories used either directly or as data sources for metrics data collection and reporting should be standardized. The validity of data is suspect if the primary data source is an incident-reporting database that stores only the information reported by some organizational elements, or if reporting processes between organizations are inconsistent. When an organization is developing and implementing processes that may serve as inputs to its security metrics program, it must ensure that data gathering and reporting are clearly defined.
The organization’s personnel must understand that although they may collect a lot of security data, not all data will be useful for their metrics program at any given point in time. Any data collection, specifically for the purpose of security metrics, must be as non-intrusive as possible. It also must be of maximum usefulness. This is to ensure that available resources are primarily used to correct problems, and not to collect data for data’s sake.
The establishment of a metrics program will require a substantial investment to ensure that the program is properly implemented and to maximize its benefits. The resources required for maintaining the program are not expected to be as significant.
Two processes guide the establishment and operation of a security metrics program: metrics development and metrics implementation. The metrics development process establishes the initial set of metrics and selection of the metrics subset appropriate for an organization at a given time. The metrics implementation process operates a metrics program that is iterative, and that ensures appropriate aspects of security are measured for a specific time. Security metrics can be used to progressively measure the implementation, efficiency, effectiveness, and the business impact of security activities within an organization or for specific systems.
The metrics development process is illustrated in the figure below.
Figure 5 Metrics Development Process
The security metrics development process consists of two major activities:
- Identification and definition of the current security program security controls
- Development and selection of specific metrics to measure implementation, efficiency, effectiveness, and impact of the security controls