Establish, implement, and maintain a technical measurement metrics policy.
CONTROL ID 01655
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a compliance monitoring policy., CC ID: 00671
This Control has the following implementation support Control(s):
Establish, implement, and maintain a user identification and authentication metrics program., CC ID: 02073
Establish, implement, and maintain a user account management metrics program., CC ID: 02075
Establish, implement, and maintain a user and administrator privilege management metrics program., CC ID: 02076
Establish, implement, and maintain a Configuration Management metrics program., CC ID: 02077
Establish, implement, and maintain a Security Information and Event Management metrics program., CC ID: 02078
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program., CC ID: 02079
Establish, implement, and maintain a malicious code protection management metrics program., CC ID: 02080
Establish, implement, and maintain a software change management metrics program., CC ID: 02081
Establish, implement, and maintain a network management and firewall management metrics program., CC ID: 02082
Establish, implement, and maintain a data encryption management metrics program., CC ID: 02083
Establish, implement, and maintain a backup management and recovery management metrics program., CC ID: 02084
Establish, implement, and maintain an incident management and vulnerability management metrics program., CC ID: 02085
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Define and implement technical and operational metrics in alignment with business objectives, security requirements, and compliance obligations. (AIS-03, Cloud Controls Matrix, v4.0)
The organization shall define the criteria to evaluate the measurement process and information products. (§ 6.3.7.3(a)(5), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in need of improvement over time. (GV.SP-2.3, CRI Profile, v1.2)
The organization must measure and report on the many, if not most, of an organization's information security policies will ultimately be implemented by assigning values to technical security controls within the various information technology environments. For example, it is common to set a technical… (§ VIII, CISWG Information Security Program Elements, 10-Jan-05)
Determine whether there are established performance benchmarks and standards for the IT function and whether they serve to help management identify problem areas, particularly in system or data center availability, operating conditions, response times, and error rates. (App A Objective 13:2, FFIEC Information Technology Examination Handbook - Management, November 2015)
Collect metrics and trending data. (T0349, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Collect metrics and trending data. (T0349, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Using scores and grades to motivate and assess performance while addressing concerns to support continuous monitoring (T1002, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)