Back

Establish, implement, and maintain a metrics standard and template.


CONTROL ID
02157
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a metrics policy., CC ID: 01654

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • To facilitate risk reporting to management, the FI should develop IT risk metrics to highlight systems, processes or infrastructure that have the highest risk exposure. An overall technology risk profile of the organisation should also be provided to the board of directors and senior management. In … (§ 4.5.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The organization should measure at least one metric for each area of the information technology security Risk Management Framework to identify trends and monitor progress. (¶ 78, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should use metrics for the areas with the greatest sensitivity and criticality. (¶ 79, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should use a comprehensive set of metrics that includes forward-looking measures and backward-looking measures, e.g., key risk indicators and Key Performance Indicators. (¶ 79, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • IT security metrics can be useful mechanisms for assessing the success of the IT security risk management framework in maintaining confidentiality, integrity and availability, and are usually included in IT security reporting. In APRA's view, each dimension of the IT security risk management framewo… (¶ 78, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • As a matter of principle, risks can be considered either qualitatively or quantitatively. The quantitative risk assessment is very complex and requires comprehensive statistical data. In most cases, such comprehensive empirical values are missing in the very dynamic environment of information securi… (§ 5.1 ¶ 4, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • adequately describe data measurements and bases for calculations, and ensure it is possible to replicate measurements and calculations with similar results; (Accuracy Guidance ¶ 2 Bullet 3, GRI 1: Foundation 2021)
  • use accepted international metrics (e.g., kilograms, liters), and standard conversion factors and protocols, where applicable, for compiling and reporting information; (Comparability Guidance ¶ 2 Bullet 2, GRI 1: Foundation 2021)
  • The metrics and reports on the status of IT controls must contain meaningful information. The Chief Audit Executive (CAE) should attest to the validity and express his/her opinion on the value of the metrics and reporting that management provides. The CAE should interact with the audit committee and… (§ 10.3 ¶ 4, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • The organization must ensure performance metrics have been established, implemented, and maintained to regularly measure and monitor the operational characteristics that have a material impact on the organization's performance. (§ 4.5.1, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Security metrics should be used by the organization to help justify expenditures. Metrics can help security managers show the cost-effectiveness of asset protection. Each manager should decide what assets should be measured. (Revised Volume 1 Pg 2-II-5, Protection of Assets Manual, ASIS International)
  • Define and implement technical and operational metrics in alignment with business objectives, security requirements, and compliance obligations. (AIS-03, Cloud Controls Matrix, v4.0)
  • The organization shall identify and prioritize the information needed for plan measurement. (§ 6.3.7.3(a)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall define the quality measures and the technical measures that are used to assess technical achievement. (CO-01, ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • It is important that organizations develop a set of measurable indicators that will assist the organization in measuring achievement of its objectives (see 6.2) and quantifying its compliance performance. This process should take into account the results of the assessment of compliance risks (see 4.… (§ 9.1.6 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: (§ 6.2.3.3 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); (§ 6.3.3.2.2 ¶ 2 i), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). (§ 6.7.3.2 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the effectiveness of existing controls and performance indicators; (§ 9.3.2 ¶ 2 bullet 6, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall develop, implement and maintain a set of appropriate indicators that will assist the organization in evaluating the achievement of its compliance objectives and assessing its compliance performance. (§ 9.1.3 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organisation shall develop a set of appropriate indicators that will assist the organization in evaluating the achievement of its objectives and assessing its compliance performance. (§ 9.1.3 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • the effectiveness of existing controls and performance indicators; (§ 9.3 ¶ 3 bullet 4, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Representative product: The entity shall calculate performance using a representative product for each product category (i.e., servers, desktops, laptops), where representative product would typically be the entity's bestselling specification of processor in the product category. If the entity deter… (TC-SC-410a.2. 1.1, Semiconductors Sustainability Accounting Standard, Version 2018-10)
  • Establishment of [Assignment: organization-defined metrics] to be monitored; (CA-7a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Establishment of [Assignment: organization-defined metrics] to be monitored; (CA-7a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Establishment of [Assignment: organization-defined metrics] to be monitored; (CA-7a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Establishment of [Assignment: organization-defined metrics] to be monitored; (CA-7a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Future-oriented disclosures will inherently involve the organization's judgment (which should be adequately explained). To the extent possible, disclosures should be based on objective data and use best-in-class measurement methodologies, which would include common industry practice as it evolves. (§ F. Principle 6 Bullet 2, Implementing the Recommendations of the Task Force on Climate-related Financial Disclosures, October 2021)
  • Principle: Firms should establish and implement a cybersecurity governance framework that supports informed decision making and escalation within the organization to identify and manage cybersecurity risks. The framework should include defined risk management policies, processes and structures coupl… (Governance and Risk Management for Cybersecurity, Report on Cybersecurity Practices)
  • Metrics, including key risk indicators and key performance indicators for BCM and resilience. (IX Action Summary ¶ 2 Bullet 9, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Defined objectives for IT, operations, and key performance indicators (KPI). (VI.D Action Summary ¶ 2 Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Risk tolerances and risk and performance metrics for AIO activities. (App A Objective 2:8b Bullet 7, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Identification of metrics to track the efficiency and success of the change. (App A Objective 6:3e, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management defines objectives for IT and operations and KPIs to help management measure those objectives. Additionally, evaluate whether management does the following: (App A Objective 17:2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Sets KPI benchmarks to achieve and analyzes deviations from those benchmarks. (App A Objective 17:2b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Has a useful set of KPIs. (App A Objective 17:2d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management develops and uses metrics to help assess the overall IT environment. Determine whether the metrics used and the frequency and monitoring of those metrics are useful to direct management's attention to emerging issues. Additionally, determine whether necessary metrics or … (App A Objective 13:1, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Establishment of [Assignment: organization-defined metrics] to be monitored; (CA-7a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishment of [Assignment: organization-defined metrics] to be monitored; (CA-7a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishment of [Assignment: organization-defined metrics] to be monitored; (CA-7a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; (CA-7a., FedRAMP Security Controls High Baseline, Version 5)
  • Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; (CA-7a., FedRAMP Security Controls Low Baseline, Version 5)
  • Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; (CA-7a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; (CA-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; (CA-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; (CA-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; (CA-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; (PM-31a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Enterprises should validate identified C-SCRM goals and objectives with their targeted stakeholder groups prior to beginning an effort to develop specific measures. When developing C-SCRM measures, enterprises should focus on the stakeholder's highest priorities and target measures based on data tha… (3.5.1. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; (PM-31a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; (PM-31a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; (PM-31a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Organizations should document their performance metrics in a standard format to ensure repeatability of metrics development, tailoring, collection, and reporting processes. A standard format will provide detail to guide metrics collection, analysis, and reporting activities. (§ 5.3, Guide for Developing Performance Metrics for Information Security, NIST SP 800-80)
  • Organizations should frequently update their low-level metrics and strive for them to be as accurate as possible in order to improve the enterprise-level metrics based on them. If low- level metrics are incorrect, they will negatively impact the enterprise-level metrics calculated from them. For exa… (3.6 ¶ 7, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, NIST SP 800-40, Revision 4)
  • Establishment of [Assignment: organization-defined metrics] to be monitored; (CA-7a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishment of [Assignment: organization-defined metrics] to be monitored; (CA-7a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishment of [Assignment: organization-defined metrics] to be monitored; (CA-7a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develop measures of effectiveness and measures of performance. (T0661, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Establish scoring and grading metrics to measure effectiveness of continuous monitoring program. (T0985, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop measures of effectiveness and measures of performance. (T0661, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Establish scoring and grading metrics to measure effectiveness of continuous monitoring program. (T0970, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Establish scoring and grading metrics to measure effectiveness of continuous monitoring program. (T0985, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Establishment of [Assignment: organization-defined metrics] to be monitored; (CA-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Establishment of [Assignment: organization-defined metrics] to be monitored; (CA-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Establishment of [Assignment: organization-defined metrics] to be monitored; (CA-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishment of [Assignment: organization-defined metrics] to be monitored; (CA-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; (CA-7a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; (PM-31a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; (CA-7a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; (PM-31a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Establishment of [Assignment: organization-defined metrics] to be monitored; (CA-7b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Establishment of [Assignment: organization-defined metrics] to be monitored; (CA-7a., TX-RAMP Security Controls Baseline Level 1)
  • Establishment of [Assignment: organization-defined metrics] to be monitored; (CA-7a., TX-RAMP Security Controls Baseline Level 2)