v
TABLE OF CONTENTS
EXECUTIVE SUMMARY.......................................................................................................VII
1. INTRODUCTION..................................................................................................................1
1.1 History.................................................................................................................................1
1.2 Overview of Metrics Program.............................................................................................2
1.3 Relationship to Other NIST Documents .............................................................................3
1.4 Audience .............................................................................................................................3
1.5 Document Organization......................................................................................................3
2. ROLES AND RESPONSIBILITIES ....................................................................................5
2.1 Head of the Agency.............................................................................................................5
2.2 Chief Information Officer ...................................................................................................5
2.3 Agency IT Security Program Manager ...............................................................................6
2.4 Program Manager/System Owner.......................................................................................7
2.5 System Security Officer......................................................................................................8
3. IT SECURITY METRICS BACKGROUND......................................................................9
3.1 Definition............................................................................................................................9
3.2 Benefits of Using Metrics .................................................................................................10
3.3 Metrics Types....................................................................................................................11
3.4 Success Factors .................................................................................................................13
3.4.1 Organizational Considerations ...................................................................................13
3.4.2 Manageability.............................................................................................................13
3.4.3 Data Management Concerns ......................................................................................13
4. METRICS DEVELOPMENT AND IMPLEMENTATION APPROACH ....................15
4.1 Metrics Development Process...........................................................................................15
4.1.1 Stakeholder Interest Identification.............................................................................16
4.1.2 Goals and Objectives Definition................................................................................17
4.1.3 IT Security Policies, Guidance, and Procedures Review...........................................18
4.1.4 System Security Program Implementation Review...................................................18
4.1.5 Metrics Development and Selection..........................................................................19
4.2 Establishing Performance Targets ....................................................................................21
4.3 Feedback Within Metrics Development Process ..............................................................22
5. METRICS PROGRAM IMPLEMENTATION................................................................24
5.1 Prepare for Data Collection...............................................................................................24
5.2 Collect Data and Analyze Results.....................................................................................25
5.3 Identify Corrective Actions...............................................................................................26
5.4 Develop Business Case and Obtain Resources.................................................................27
5.5 Apply Corrective Actions .................................................................................................28
APPENDIX A: SAMPLE IT SECURITY METRICS ........................................................A-1
A.1 Risk Management............................................................................................................. A-3
A.2 Security Controls.............................................................................................................. A-7