Information Security Governance Papers
| Paper Title | Measurement and Metrics14 |
|---|---|
| The Abstract of The Paper |
Metrics are tools designed to improve performance and accountability through the collection, analysis, and reporting of relevant performance-related data. Information security metrics monitor the accomplishment of goals and objectives by quantifying the implementation level of secur
i ty controls and the efficiency and effectiveness of the controls, by analyzing the adequacy of security activities, and by identifying possible improvement actions. Metrics/performance measures are aligned to the agency strategy and information security strategy, and therefore are aligned to mission requirements. Agency uses metrics/performance measures to quantify and assess its information security performance and to identify and target corrective actions. Agency decision makers use metrics/performance measures as an input into decision making regarding prioritization of activities and resource and funding allocations. Agency uses metrics/performance measures that can be obtained without spending extraordinary resources. Metrics/performance measures provide numerical and empirical data rather than opinions. Metrics/performance measures are regularly verified by third-party reviewers for accuracy and validity. Metrics/performance measures provide meaningful data to assess the impact of changes over time. Agency collects data to calculate metrics/performance measures at the most discrete, unanalyzed level possible. Agency uses well-defined and specified metrics/performance measures. |
| Web Link | http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf |