Back

Establish, implement, and maintain a technical measurement metrics policy.


CONTROL ID
01655
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a compliance monitoring policy., CC ID: 00671

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a user identification and authentication metrics program., CC ID: 02073
  • Establish, implement, and maintain a user account management metrics program., CC ID: 02075
  • Establish, implement, and maintain a user and administrator privilege management metrics program., CC ID: 02076
  • Establish, implement, and maintain a Configuration Management metrics program., CC ID: 02077
  • Establish, implement, and maintain a Security Information and Event Management metrics program., CC ID: 02078
  • Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program., CC ID: 02079
  • Establish, implement, and maintain a malicious code protection management metrics program., CC ID: 02080
  • Establish, implement, and maintain a software change management metrics program., CC ID: 02081
  • Establish, implement, and maintain a network management and firewall management metrics program., CC ID: 02082
  • Establish, implement, and maintain a data encryption management metrics program., CC ID: 02083
  • Establish, implement, and maintain a backup management and recovery management metrics program., CC ID: 02084
  • Establish, implement, and maintain an incident management and vulnerability management metrics program., CC ID: 02085


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Define and implement technical and operational metrics in alignment with business objectives, security requirements, and compliance obligations. (AIS-03, Cloud Controls Matrix, v4.0)
  • The organization shall define the criteria to evaluate the measurement process and information products. (§ 6.3.7.3(a)(5), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in need of improvement over time. (GV.SP-2.3, CRI Profile, v1.2)
  • The organization must measure and report on the many, if not most, of an organization's information security policies will ultimately be implemented by assigning values to technical security controls within the various information technology environments. For example, it is common to set a technical… (§ VIII, CISWG Information Security Program Elements, 10-Jan-05)
  • Determine whether there are established performance benchmarks and standards for the IT function and whether they serve to help management identify problem areas, particularly in system or data center availability, operating conditions, response times, and error rates. (App A Objective 13:2, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Collect metrics and trending data. (T0349, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Collect metrics and trending data. (T0349, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Using scores and grades to motivate and assess performance while addressing concerns to support continuous monitoring (T1002, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)