NIST SP800-55.pdf

The requirement to measure information technology (IT) security performance is driven by regulatory, financial, and organizational reasons. A number of existing laws, rules, and regulations cite IT performance measurement in general, and IT security performance measurement in particular, as a requirement. These laws include the Clinger-Cohen Act, Government Performance and Results Act (GPRA), Government Paperwork Elimination Act (GPEA), and Federal Information Security Management Act (FISMA). This document is intended to be a guide for the specific development, selection, and implementation of IT system- level metrics to be used to measure the performance of information security controls and techniques.1 IT security metrics are tools designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. This document provides guidance on how an organization, through the use of metrics, identifies the adequacy of in-place security controls, policies, and procedures. It provides an approach to help management decide where to invest in additional security protection resources or identify and evaluate nonproductive controls. It explains the metrics development and implementation processes and how metrics can be used to adequately justify security control investments. The results of an effective IT security metrics program can provide useful data for directing the allocation of information security resources and should simplify the preparation of performance-related reports. Successful implementation of such a program assists agencies in meeting the annual requirements of the Office of Management and Budget (OMB) to report the status of agency IT security programs.