Back

Evaluate the measurement process used for metrics.


CONTROL ID
06920
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Protect against misusing automated audit tools., CC ID: 04547

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • distinguish clearly between facts and the organization's interpretation of the facts; (Balance Guidance ¶ 1 Bullet 2, GRI 1: Foundation 2021)
  • indicate which data has been estimated, and explain the underlying assumptions and techniques used for the estimation as well as any limitations of the estimates. (Accuracy Guidance ¶ 2 Bullet 5, GRI 1: Foundation 2021)
  • what needs to be monitored and measured; (§ 9.1.1 ¶ 2 a), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall evaluate the measurement process and the information products used for measurements. (§ 6.3.7.3(c)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • what needs to be monitored and measured and why; (§ 9.1.1 ¶ 1 a), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • what needs to be monitored and measured, (§ 9.1.1 ¶ 1 a), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - mon… (§ 9.1.1 ¶ 5, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • what needs to be monitored and measured; (§ 9.1 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • what needs to be monitored and measured; (§ 9.1.1 ¶ 2 bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • what needs to be monitored and measured; (9.1.1 ¶ 1(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • what needs to be monitored and measured; (§ 9.1.1 ¶ 2 a), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Organizations should be aware that AI is a fast-moving technology domain. Measurement methods should be consistently evaluated according to their effectiveness and appropriateness for the AI systems in use. (§ 6.3.4 Table 4 Column 2 Row 4 Bullet 1, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • what needs to be monitored and measured; (Section 9.1 ¶ 1(a), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • what needs to be monitored and measured, including information security processes and controls; (§ 9.1 ¶ 1 a), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; (CA-7d., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; (CA-7d., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; (CA-7d., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; (CA-7d., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Determine the effectiveness of the frequency of the measurement process. (AppE.7 Objective 4:3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; (CA-7d. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; (CA-7d. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; (CA-7d. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; (CA-7d., FedRAMP Security Controls High Baseline, Version 5)
  • Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; (CA-7d., FedRAMP Security Controls Low Baseline, Version 5)
  • Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; (CA-7d., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Effectiveness of the employed TEVV metrics and processes in the MEASURE function are evaluated and documented. (MEASURE 2.13, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; (CA-7d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; (CA-7d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; (CA-7d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; (CA-7d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; (PM-31c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; (PM-31c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; (PM-31c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; (PM-31c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; (CA-7d. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; (CA-7d. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; (CA-7d. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; (CA-7d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; (CA-7d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; (CA-7d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; (CA-7d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; (CA-7d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; (PM-31c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; (CA-7d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; (PM-31c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; (CA-7e., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; (CA-7d., TX-RAMP Security Controls Baseline Level 1)
  • Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; (CA-7d., TX-RAMP Security Controls Baseline Level 2)