Establish, implement, and maintain an Information Systems architecture metrics program.
CONTROL ID 02059
CONTROL TYPE Business Processes
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a metrics policy., CC ID: 01654
This Control has the following implementation support Control(s):
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated., CC ID: 02060
Report on the percentage of system architecture changes that were approved through appropriate change requests., CC ID: 02061
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture., CC ID: 02062
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed., CC ID: 02142
Report on the percentage of systems that have completed Certification and Accreditation., CC ID: 02143
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The organization must measure and report on the this element applies to review and approval of the information systems architecture for compliance with information security requirements and policies, and for any impacts to information security during the architecture's life cycle. (ISPE14, CISWG Information Security Program Elements, 10-Jan-05)
How stable are existing systems. (App A Tier 1 Objectives and Procedures Objective 1:5 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
The AI system is evaluated regularly for safety risks â as identified in the MAP function. The AI system to be deployed is demonstrated to be safe, its residual negative risk does not exceed the risk tolerance, and it can fail safely, particularly if made to operate beyond its knowledge limits. Sa… (MEASURE 2.6, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
Work with organizational officials to establish system level reporting categories that can be used by the organization's continuous monitoring program. (T0978, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Work with organizational officials to establish system level reporting categories that can be used by the organization's continuous monitoring program. (T0978, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)