Establish, implement, and maintain an information risk threshold metrics program.
CONTROL ID 01694
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a metrics policy., CC ID: 01654
This Control has the following implementation support Control(s):
Report on the percentage of critical information assets and information-dependent functions., CC ID: 02040
Report on the percentage of critical assets and functions for which the cost of compromise has been quantified., CC ID: 02041
Report on the percentage of identified risks that have a defined risk mitigation plan., CC ID: 02042
Report on the percentage of systems with approved System Security Plans., CC ID: 02145
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
To facilitate risk reporting to management, technology risk metrics should be developed to highlight information assets that have the highest risk exposure. In determining the technology risk metrics, the FI should take into account risk events and audit observations, as well as applicable regulator… (§ 4.5.3, Technology Risk Management Guidelines, January 2021)
Metrics can be used by organizations to measure vulnerability management practices. The best way to use them is to trend these metrics over time to demonstrate improvement. The "Number of unique vulnerabilities" metric measures how much variance and risk exists among the systems. (§ 5.1 Table 2, IIA Global Technology Audit Guide (GTAG) 6: Managing and Auditing IT Vulnerabilities)
The organization must measure and report on the assessment of Information Risks, Risk Thresholds and Risk Mitigation? (ISPE10, CISWG Information Security Program Elements, 10-Jan-05)
Principle: Firms should establish and implement a cybersecurity governance framework that supports informed decision making and escalation within the organization to identify and manage cybersecurity risks. The framework should include defined risk management policies, processes and structures coupl… (Governance and Risk Management for Cybersecurity, Report on Cybersecurity Practices)
Determine if the policies establish reasonable limits. (App A Tier 1 Objectives and Procedures Objective 4:1 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Appropriate methods and metrics are identified and applied. (MEASURE 1, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
Reporting at Level 2 plays an important role in equipping mission and business process leaders with the context necessary to manage C-SCRM within the scope of their mission and business processes. Topics covered at Level 2 will reflect those covered at Level 1 but should be reshaped to focus on the … (2.3.3. ¶ 6, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
Work with the organizational risk analysts to ensure risk metrics are defining realistically to support continuous monitoring. (T0975, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Work with the organizational risk analysts to ensure risk metrics are defining realistically to support continuous monitoring. (T0975, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
