Establish, implement, and maintain a metrics policy.
CONTROL ID 01654
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a compliance monitoring policy., CC ID: 00671
This Control has the following implementation support Control(s):
Establish, implement, and maintain an approach for compliance monitoring., CC ID: 01653
Establish, implement, and maintain a metrics standard and template., CC ID: 02157
Convert data into standard units before reporting metrics., CC ID: 15507
Monitor compliance with the Quality Control system., CC ID: 01023
Establish, implement, and maintain occupational health and safety management metrics program., CC ID: 15915
Establish, implement, and maintain a policies and controls metrics program., CC ID: 01666
Establish, implement, and maintain a security roles and responsibilities metrics program., CC ID: 01667
Establish, implement, and maintain a role-based information access metrics program., CC ID: 01668
Establish, implement, and maintain an information risk threshold metrics program., CC ID: 01694
Monitor the supply chain for Information Assurance effectiveness., CC ID: 02043
Establish, implement, and maintain an identification and classification of information assets metrics program., CC ID: 02052
Establish, implement, and maintain an Information Systems architecture metrics program., CC ID: 02059
Establish, implement, and maintain a physical environment metrics program., CC ID: 02063
Establish, implement, and maintain a privacy metrics program., CC ID: 15494
Establish, implement, and maintain environmental management system performance metrics., CC ID: 15191
Establish, implement, and maintain financial management metrics., CC ID: 16749
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
APRA envisages that the use of metrics would be targeted towards the areas of greatest criticality and sensitivity as determined through the risk assessment process. Effective metrics are specific, measurable, business-impact oriented, controllable and reportable. In addition, a comprehensive set of… (¶ 79, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
When compiling the information specified in Disclosure 415-1, the reporting organization shall calculate financial political contributions in compliance with national accounting rules, where these exist. (Disclosure 415-1 ¶ 2 2.1, GRI 415: Public Policy, 2016)
set an expectation of the appropriate quality and quantity of measurement and timeliness of delivery when establishing objectives; (§ 4.3.2 ¶ 2 c), ISO 37000:2021, Governance of organizations â Guidance, First Edition)
the methods for monitoring, measurement, analysis and performance evaluation, as applicable, to ensure valid results; (§ 9.1.1 ¶ 2 b), ISO 45001:2018, Occupational health and safety management systems â Requirements with guidance for use, First Edition)
the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid; (§ 9.1 ¶ 1 b), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection â Information security management systems â Requirements)
Begin establishing metrics and monitoring and evaluation systems to assess the effectiveness and impact of planned measures (Pillar 1 Step 1 Action 4, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
The organization must measure and report on the establishing an effective Information Security Program requires management to devote attention to information assurance program elements. (§ VII, CISWG Information Security Program Elements, 10-Jan-05)
The organization should measure and report on the number of critical assets, with the ultimate goal being zero critical DIB assets. This metric is measured by the number of critical DIB assets. Sound risk management practices, including infrastructure asset resiliency, mitigation of risks, and redun… (§ 6.1.1 Table 6-2 Goal 1, Defense Industrial Base Information Assurance Standard)
Determine whether IT management develops satisfactory measures for defining and monitoring metrics, performance benchmarks, service level agreements, compliance with policies, effectiveness of controls, and quality assurance and control. Determine whether management developed satisfactory reporting … (App A Objective 13, FFIEC Information Technology Examination Handbook - Management, November 2015)
Reporting at Level 3 should focus on the C-SCRM's implementation, efficiency, effectiveness, and the overall level of exposure to cybersecurity risks in the supply chain for the particular system. System-level reporting should provide system owners with tactical-level insights that enable them to ma… (2.3.4. ¶ 4, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
Reporting plays an important role in equipping Level 1 decision-makers with the context necessary to make informed decisions on how to manage cybersecurity risks throughout the supply chain. Reporting should focus on enterprise-wide trends and include coverage of the extent to which C-SCRM has been … (2.3.2. ¶ 11, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)