Back

Establish, implement, and maintain a metrics policy.


CONTROL ID
01654
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a compliance monitoring policy., CC ID: 00671

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a metrics standard and template., CC ID: 02157
  • Convert data into standard units before reporting metrics., CC ID: 15507
  • Monitor compliance with the Quality Control system., CC ID: 01023
  • Establish, implement, and maintain a policies and controls metrics program., CC ID: 01666
  • Establish, implement, and maintain a security roles and responsibilities metrics program., CC ID: 01667
  • Establish, implement, and maintain a role-based information access metrics program., CC ID: 01668
  • Establish, implement, and maintain an information risk threshold metrics program., CC ID: 01694
  • Monitor the supply chain for Information Assurance effectiveness., CC ID: 02043
  • Establish, implement, and maintain an identification and classification of information assets metrics program., CC ID: 02052
  • Establish, implement, and maintain an Information Systems architecture metrics program., CC ID: 02059
  • Establish, implement, and maintain a physical environment metrics program., CC ID: 02063
  • Establish, implement, and maintain a privacy metrics program., CC ID: 15494
  • Establish, implement, and maintain environmental management system performance metrics., CC ID: 15191


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • APRA envisages that the use of metrics would be targeted towards the areas of greatest criticality and sensitivity as determined through the risk assessment process. Effective metrics are specific, measurable, business-impact oriented, controllable and reportable. In addition, a comprehensive set of… (¶ 79, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • set an expectation of the appropriate quality and quantity of measurement and timeliness of delivery when establishing objectives; (§ 4.3.2 ¶ 2 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Begin establishing metrics and monitoring and evaluation systems to assess the effectiveness and impact of planned measures (Pillar 1 Step 1 Action 4, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • The organization must measure and report on the establishing an effective Information Security Program requires management to devote attention to information assurance program elements. (§ VII, CISWG Information Security Program Elements, 10-Jan-05)
  • The organization should measure and report on the number of critical assets, with the ultimate goal being zero critical DIB assets. This metric is measured by the number of critical DIB assets. Sound risk management practices, including infrastructure asset resiliency, mitigation of risks, and redun… (§ 6.1.1 Table 6-2 Goal 1, Defense Industrial Base Information Assurance Standard)
  • Determine whether IT management develops satisfactory measures for defining and monitoring metrics, performance benchmarks, service level agreements, compliance with policies, effectiveness of controls, and quality assurance and control. Determine whether management developed satisfactory reporting … (App A Objective 13, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Reporting at Level 3 should focus on the C-SCRM's implementation, efficiency, effectiveness, and the overall level of exposure to cybersecurity risks in the supply chain for the particular system. System-level reporting should provide system owners with tactical-level insights that enable them to ma… (2.3.4. ¶ 4, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Reporting plays an important role in equipping Level 1 decision-makers with the context necessary to make informed decisions on how to manage cybersecurity risks throughout the supply chain. Reporting should focus on enterprise-wide trends and include coverage of the extent to which C-SCRM has been … (2.3.2. ¶ 11, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)