Back

Establish, implement, and maintain a metrics policy.


CONTROL ID
01654
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a compliance monitoring policy., CC ID: 00671

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain an approach for compliance monitoring., CC ID: 01653
  • Establish, implement, and maintain a metrics standard and template., CC ID: 02157
  • Convert data into standard units before reporting metrics., CC ID: 15507
  • Monitor compliance with the Quality Control system., CC ID: 01023
  • Establish, implement, and maintain occupational health and safety management metrics program., CC ID: 15915
  • Establish, implement, and maintain a policies and controls metrics program., CC ID: 01666
  • Establish, implement, and maintain a security roles and responsibilities metrics program., CC ID: 01667
  • Establish, implement, and maintain a role-based information access metrics program., CC ID: 01668
  • Establish, implement, and maintain an information risk threshold metrics program., CC ID: 01694
  • Monitor the supply chain for Information Assurance effectiveness., CC ID: 02043
  • Establish, implement, and maintain an identification and classification of information assets metrics program., CC ID: 02052
  • Establish, implement, and maintain an Information Systems architecture metrics program., CC ID: 02059
  • Establish, implement, and maintain a physical environment metrics program., CC ID: 02063
  • Establish, implement, and maintain a privacy metrics program., CC ID: 15494
  • Establish, implement, and maintain environmental management system performance metrics., CC ID: 15191
  • Establish, implement, and maintain financial management metrics., CC ID: 16749


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • APRA envisages that the use of metrics would be targeted towards the areas of greatest criticality and sensitivity as determined through the risk assessment process. Effective metrics are specific, measurable, business-impact oriented, controllable and reportable. In addition, a comprehensive set of… (¶ 79, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • When compiling the information specified in Disclosure 415-1, the reporting organization shall calculate financial political contributions in compliance with national accounting rules, where these exist. (Disclosure 415-1 ¶ 2 2.1, GRI 415: Public Policy, 2016)
  • set an expectation of the appropriate quality and quantity of measurement and timeliness of delivery when establishing objectives; (§ 4.3.2 ¶ 2 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the methods for monitoring, measurement, analysis and performance evaluation, as applicable, to ensure valid results; (§ 9.1.1 ¶ 2 b), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid; (§ 9.1 ¶ 1 b), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Begin establishing metrics and monitoring and evaluation systems to assess the effectiveness and impact of planned measures (Pillar 1 Step 1 Action 4, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • The organization must measure and report on the establishing an effective Information Security Program requires management to devote attention to information assurance program elements. (§ VII, CISWG Information Security Program Elements, 10-Jan-05)
  • The organization should measure and report on the number of critical assets, with the ultimate goal being zero critical DIB assets. This metric is measured by the number of critical DIB assets. Sound risk management practices, including infrastructure asset resiliency, mitigation of risks, and redun… (§ 6.1.1 Table 6-2 Goal 1, Defense Industrial Base Information Assurance Standard)
  • Determine whether IT management develops satisfactory measures for defining and monitoring metrics, performance benchmarks, service level agreements, compliance with policies, effectiveness of controls, and quality assurance and control. Determine whether management developed satisfactory reporting … (App A Objective 13, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Reporting at Level 3 should focus on the C-SCRM's implementation, efficiency, effectiveness, and the overall level of exposure to cybersecurity risks in the supply chain for the particular system. System-level reporting should provide system owners with tactical-level insights that enable them to ma… (2.3.4. ¶ 4, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Reporting plays an important role in equipping Level 1 decision-makers with the context necessary to make informed decisions on how to manage cybersecurity risks throughout the supply chain. Reporting should focus on enterprise-wide trends and include coverage of the extent to which C-SCRM has been … (2.3.2. ¶ 11, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)