Establish, implement, and maintain a policies and controls metrics program.
CONTROL ID 01666
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a metrics policy., CC ID: 01654
This Control has the following implementation support Control(s):
Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted., CC ID: 01679
Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures., CC ID: 01680
Report on the percentage of policy compliance reviews for which no compliance violations were noted., CC ID: 01681
Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures., CC ID: 01682
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Gateway providers holding government information must document their implementation and effectiveness with the scoped ISM controls, the PSPF and the Australian Security Intelligence Organisation's (ASIO) T4 Physical Accreditation requirements. (55., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
The organization should develop metrics for all policies and measure them on a regular basis. (Critical Control 9.4, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
how the effectiveness of controls are measured. (§ 9.3 ¶ 4 e), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
how the effectiveness of controls will be measured. (§ 9.3.3.1 d), ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
The organization must establish and maintain a policies and controls metrics standard. (ISPE8, CISWG Information Security Program Elements, 10-Jan-05)
Reporting plays an important role in equipping Level 1 decision-makers with the context necessary to make informed decisions on how to manage cybersecurity risks throughout the supply chain. Reporting should focus on enterprise-wide trends and include coverage of the extent to which C-SCRM has been … (2.3.2. ¶ 11, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)