Establish, implement, and maintain a security roles and responsibilities metrics program.
CONTROL ID 01667
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a metrics policy., CC ID: 01654
This Control has the following implementation support Control(s):
Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators., CC ID: 01685
Report on the percentage of role descriptions that define the information awareness roles for interested personnel., CC ID: 01686
Report on the percentage of role descriptions that define the information awareness roles for end users., CC ID: 01687
Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance., CC ID: 01688
Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators., CC ID: 01691
Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators., CC ID: 01692
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
¶ 8.1.1(3)(4)(5) IT Security Management and Policies. An organization should implement safeguards is to achieve an appropriate and consistent level of security throughout an organization. This safeguard category contains all those safeguards dealing with the management of IT security, the planning … (¶ 8.1.1(3)(4)(5), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
The organization must establish and maintain a roles, responsibilities, and skills metrics standard. (ISPE9, CISWG Information Security Program Elements, 10-Jan-05)
The organization should implement and measure specific security education and training materials for critical DIB assets. This metric is measured by the proportion of DIB asset owners implementing security education and training materials. (§ 6.1.1 Table 6-2 Goal 8, Defense Industrial Base Information Assurance Standard)
Establish and collect metrics to monitor and validate cyber workforce readiness including analysis of cyber workforce data to assess the status of positions identified, filled, and filled with qualified personnel. (T0372, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Establish and collect metrics to monitor and validate cyber workforce readiness including analysis of cyber workforce data to assess the status of positions identified, filled, and filled with qualified personnel. (T0372, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
