Performance Measurement Guide For Information Security - NIST
NIST Special Publication 800-55 Revision 1Performance Measurement Guidefor Information SecurityElizabeth Chew, Marianne Swanson, Kevin Stine,Nadya Bartol, Anthony Brown, and Will RobinsonI N F O R M A T I O NS E C U R I T YComputer Security DivisionInformation Technology LaboratoryNational Institute of Standards and TechnologyGaithersburg, MD 20899-8930July 2008U.S. Department of CommerceCarlos M. Gutierrez, SecretaryNational Institute of Standards and TechnologyJames M. Turner, Deputy Director
Reports on Computer Systems TechnologyThe Information Technology Laboratory (ITL) at the National Institute of Standards and Technology(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’smeasurement and standards infrastructure. ITL develops tests, test methods, reference data, proof ofconcept implementations, and technical analyses to advance the development and productive use ofinformation technology. ITL’s responsibilities include the development of management, administrative,technical, and physical standards and guidelines for the cost-effective security and privacy of sensitiveunclassified information in federal computer systems. This Special Publication 800-series reports on ITL’sresearch, guidelines, and outreach efforts in information security, and its collaborative activities withindustry, government, and academic organizations.ii
AuthorityThis document has been developed by the National Institute of Standards and Technology (NIST) infurtherance of its statutory responsibilities under the Federal Information Security Management Act(FISMA) of 2002, Public Law 107-347.NIST is responsible for developing standards and guidelines, including minimum requirements, and forproviding adequate information security for all agency operations and assets, but such standards andguidelines shall not apply to national security systems. This guideline is consistent with the requirementsof the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing AgencyInformation Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplementalinformation is provided in A-130, Appendix III.This guideline has been prepared for use by federal agencies. It may also be used by nongovernmentalorganizations on a voluntary basis and is not subject to copyright regulations. (Attribution would beappreciated by NIST.)Nothing in this document should be taken to contradict standards and guidelines made mandatory andbinding on federal agencies by the Secretary of Commerce under statutory authority. Nor should theseguidelines be interpreted as altering or superseding the existing authorities of the Secretary ofCommerce, Director of the OMB, or any other federal official.Certain commercial entities, equipment, or materials may be identified in thisdocument in order to describe an experimental procedure or concept adequately.Such identification is not intended to imply recommendation or endorsement by NIST,nor is it intended to imply that the entities, materials, or equipment are necessarily thebest available for the purpose.iii
AcknowledgementsThe authors wish to thank Joan Hash (NIST), Arnold Johnson (NIST), Elizabeth Lennon (NIST),Karen Scarfone (NIST), Kelley Dempsey (NIST), and Karen Quigg (MITRE) who revieweddrafts of this document and/or contributed to its development. The authors also gratefullyacknowledge and appreciate the many contributions from individuals and organizations in thepublic and private sectors whose thoughtful and constructive comments improved the quality andusefulness of this publication.iv
TABLE OF CONTENTSEXECUTIVE SUMMARY . VIII1.INTRODUCTION.11.11.21.31.41.51.62.ROLES AND RESPONSIBILITIES.62.12.22.32.42.52.63.Purpose and Scope .1Audience .2History.2Critical Success Factors .3Relationship to Other NIST Documents .4Document Organization .5Agency Head.6Chief Information Officer .6Senior Agency Information Security Officer.7Program Manager/Information System Owner.8Information System Security Officer.8Other Related Roles .8INFORMATION SECURITY MEASURES BACKGROUND.93.1Definition .93.2Benefits of Using Measures .103.3Types of Measures .113.3.1 Implementation Measures.133.3.2 Effectiveness/Efficiency Measures.133.3.3 Impact Measures .143.4Measurement Considerations.153.4.1 Organizational Considerations.153.4.2 Manageability .153.4.3 Data Management Concerns .163.4.4 Automation of Measurement Data Collection .163.5Information Security Measurement Program Scope.173.5.1 Individual Information Systems.173.5.2 System Development Life Cycle .173.5.3 Enterprise-Wide Programs.194.LEGISLATIVE AND STRATEGIC DRIVERS.204.1Legislative Considerations.204.1.1 Government Performance Results Act.204.1.2 Federal Information Security Management Act .214.2Federal Enterprise Architecture .224.3Linkage Between Enterprise Strategic Planning and Information Security .235.MEASURES DEVELOPMENT PROCESS.245.1Stakeholder Interest Identification.25v
5.2Goals and Objectives Definition.265.3Information Security Policies, Guidelines, and Procedures Review .275.4Information Security Program Implementation Review.275.5Measures Development and Selection .285.5.1 Measures Development Approach.295.5.2 Measures Prioritization and Selection .295.5.3 Establishing Performance Targets .305.6Measures Development Template.315.7Feedback Within the Measures Development Process .336.INFORMATION SECURITY MEASUREMENT IMPLEMENTATION .356.16.26.36.46.5Prepare for Data Collection .35Collect Data and Analyze Results.36Identify Corrective Actions.38Develop Business Case and Obtain Resources.38Apply Corrective Actions .40APPENDIX A: CANDIDATE MEASURES . A-1APPENDIX B: ACRONYMS .B-1APPENDIX C: REFERENCES. C-1APPENDIX D: SPECIFICATIONS FOR MINIMUM SECURITY REQUIREMENTS . D-1vi
LIST OF FIGURESFigure 1-1. Information Security Measurement Program Structure .3Figure 3-1. Information Security Program Maturity and Types of Measurement .12Figure 5-1. Information Security Measures Development Process .25Figure 5-2. Information Security Measures Trend Example .31Figure 6-1. Information Security Measurement Program Implementation Process .35LIST OF TABLESTable 1. Measurement During System Development .18Table 2. Measures Template and Instructions .32vii
EXECUTIVE SUMMARYThis document is a guide to assist in the development, selection, and implementation of measuresto be used at the information system and program levels. These measures indicate theeffectiveness of security controls applied to information systems and supporting informationsecurity programs. Such measures are used to facilitate decision making, improve performance,and increase accountability through the collection, analysis, and reporting of relevantperformance-related data—providing a way to tie the implementation, efficiency, andeffectiveness of information system and program security controls to an agency’s success inachieving its mission. The performance measures development process described in this guidewill assist agency information security practitioners in establishing a relationship betweeninformation system and program security activities under their purview and the agency mission,helping to demonstrate the value of information security to their organization.A number of existing laws, rules, and regulations—including the Clinger-Cohen Act, theGovernment Performance and Results Act (GPRA), the Government Paperwork Elimination Act(GPEA), and the Federal Information Security Management Act (FISMA)—cite informationperformance measurement in general, and information security performance measurement inparticular, as a requirement. In addition to legislative compliance, agencies can use performancemeasures as management tools in their internal improvement efforts and link implementation oftheir information security programs to agency-level strategic planning efforts.The following factors must be considered during development and implementation of aninformation security measurement program: Measures must yield quantifiable information (percentages, averages, and numbers); Data that supports the measures needs to be readily obtainable; Only repeatable information security processes should be considered for measurement;and Measures must be useful for tracking performance and directing resources.The measures development process described in this document ensures that measures aredeveloped with the purpose of identifying causes of poor performance and pointing toappropriate corrective actions.This document focuses on the development and collection of three types of measures: Implementation measures to measure execution of security policy; Effectiveness/efficiency measures to measure results of security services delivery; and Impact measures to measure business or mission consequences of security events.viii
The types of measures that can realistically be obtained, and that can also be useful forperformance improvement, depend on the maturity of the agency’s information security programand the information system’s security control implementation. Although different types ofmeasures can be used simultaneously, the primary focus of information security measures shiftsas the implementation of security controls matures.ix
1.INTRODUCTIONThe requirement to measure information security performance is driven by regulatory, financial,and organizational reasons. A number of existing laws, rules, and regulations cite informationperformance measurement in general, and information security performance measurement inparticular, as a requirement. These laws include the Clinger-Cohen Act, the GovernmentPerformance and Results Act (GPRA), the Government Paperwork Elimination Act (GPEA), andthe Federal Information Security Management Act (FISMA).While these laws, rules, and regulations are important drivers for information securitymeasurement, equally compelling are the benefits that information security performancemeasurement can yield for organizations. Agencies can use performance measures asmanagement tools in their internal improvement efforts and link implementation of theirinformation security programs to agency-level strategic planning efforts. Information securitymeasures are used to facilitate decision making and improve performance and accountabilitythrough collection, analysis, and reporting of relevant performance-related data. They providethe means for tying the implementation, efficiency, and effectiveness of security controls to anagency’s success in its mission-critical activities. The performance measures developmentprocess described in this document will assist agency information security practitioners inestablishing a relationship between information system and program security activities undertheir purview and the agency mission, helping to demonstrate the value of information securityto their organization.1.1Purpose and ScopeThis document is a guide for the specific development, selection, and implementation ofinformation system-level and program-level measures to indicate the implementation,efficiency/effectiveness, and impact of security controls, and other security-related activities. Itprovides guidelines on how an organization, through the use of measures, identifies the adequacyof in-place security controls, policies, and procedures. It provides an approach to helpmanagement decide where to invest in additional information security resources, identify andevaluate nonproductive security controls, and prioritize security controls for continuousmonitoring. It explains the measurement development and implementation processes and howmeasures can be used to adequately justify information security investments and support riskbased decisions. The results of an effective information security measurement program canprovide useful data for directing the allocation of information security resources and shouldsimplify the preparation of performance-related reports. Successful implementation of such aprogram assists agencies in meeting the annual requirements of the Office of Management andBudget (OMB) to report the status of agency information security programs.NIST Special Publication (SP) 800-55, Revision 1, expands upon NIST’s previous work in thefield of information security measures to provide additional program-level guidelines forquantifying information security performance in support of organizational strategic goals. Theprocesses and methodologies described in this document link information system securityperformance to agency performance by leveraging agency-level strategic planning processes. Bydoing so, the processes and methodologies help demonstrate how information security1
contributes to accomplishing agency strategic goals and objectives. Performance measuresdeveloped according to this guide will enhance the ability of agencies to respond to a variety offederal government mandates and initiatives, including FISMA.This publication uses the security controls identified in NIST SP 800-53, Recommended SecurityControls for Federal Information Systems, as a basis for developing measures that support theevaluation of information security programs. In addition to providing guidelines on developingmeasures, the guide lists a number of candidate measures that agencies can tailor, expand, or useas models for developing other measures. 1 While focused on NIST SP 800-53 security controls,the process described in this guide can be applied to develop agency-specific measures related tosecurity controls that are not included in NIST SP 800-53.The information security measurement program described in this document can be helpful infulfilling regulatory requirements. The program provides an underlying data collection, analysis,and reporting infrastructure that can be tailored to support FISMA performance measures,Federal Enterprise Architecture’s (FEA) Performance Reference Model (PRM) requirements,and any other enterprise-specific requirements for reporting quantifiable information aboutinformation security performance.1.2AudienceThis guide is written primarily for Chief Information Officers (CIOs), Senior AgencyInformation Security Officers (SAISOs)—often referred to as Chief Information SecurityOfficers (CISOs)—and Information System Security Officers (ISSOs). It targets individualswho are familiar with security controls as described in NIST SP 800-53. The concepts,processes, and candidate measures presented in this guide can be used within government andindustry contexts.1.3HistoryThe approach for measuring security control effectiveness has been under development forseveral years. NIST SP 800-55, Security Metrics Guide for Information Technology Systems, andNIST Draft SP 800-80, Guide to Developing Performance Metrics for Information Security, bothaddressed information security measurement. This document supersedes these publications bybuilding upon them to align this approach with security controls provided in NIST SP 800-53,Recommended Security Controls for Federal Information Systems. The document also expandson concepts and processes introduced in the original version of NIST SP 800-55 to assist withthe assessment of information security program implementation.Security control implementation for information systems and information security programs isreviewed and reported annually to OMB in accordance with the Electronic Government Act of2002, which includes FISMA. The Act requires departments and agencies to demonstrate that1Candidate measures offered by this guide do not constitute mandatory requirements. Rather, they provide a sampling ofmeasures to be considered for use by the readers of this guide.2
they are meeting applicable information security requirements, and to document the level ofperformance based on results of annual program reviews.1.4Critical Success FactorsAn information security measurement program within an organization should include fourinterdependent components (see Figure 1-1).Figure 1-1. Information Security Measurement Program StructureThe foundation of strong upper-level management support is critical, not only for the success ofthe information security program, but also for the program’s implementation. This supportestablishes a focus on information security within the highest levels of the organization. Withouta solid foundation (i.e., proactive support of personnel in positions that control informationresources), the information security measurement program can fail when pressured byorganizational dynamics and budget limitations.The second component of an effective information security measurement program is theexistence of information security policies and procedures backed by the authority necessary toenforce compliance. Information security policies delineate the information securitymanagement structure, clearly assign information security responsibilities, and lay the foundationneeded to reliably measure progress and compliance. Procedures document management’sposition on the implementation of an information security control and the rigor with which it isapplied. Measures are not easily obtainable if no procedures are in place that supply data to beused for measurement.3
The third component is developing and establishing quantifiable performance measures that aredesigned to capture and provide meaningful performance data. To provide meaningful data,quantifiable information security measures must be based on information security performancegoals and objectives, and be easily obtainable and feasible to measure. They must also berepeatable, provide relevant performance trends over time, and be useful for trackingperformance and directing resources.Finally, the information security measurement program itself must emphasize consistent periodicanalysis of the measures data. Results of this analysis are used to apply lessons learned, improveeffectiveness of existing security controls, and plan for the implementation of future securitycontrols to meet new information security requirements as they occur. Accurate data collectionmust be a priority with stakeholders and users if the collected data is to be meaningful and usefulin improving the overall information security program.The success of an information security program implementation should be judged by the degreeto which meaningful results are produced. A comprehensive information security measurementprogram should provide substantive justification for decisions that directly affect the informationsecurity posture of an organization. These decisions include budget and personnel requests andallocation of available resources. An information security measurement program should assist inthe preparation of required reports relating to information security performance.1.5Relationship to Other NIST DocumentsThis document is a continuation in a series of NIST special publications intended to assistinformation management and information security personnel in the establishment,implementation, and maintenance of an information security program. It focuses on quantifyinginformation security performance based on the results of a variety of information securityactivities. This approach draws upon many sources of data, including: Information security assessment and testing efforts such as those described in NIST SP800-53A, Guide for Assessing the Security Controls in Federal Information Systems; Information security risk assessments efforts, such as those described in NIST SP 800-30,Risk Management Guide for Information Technology Systems; and Minimum security controls recommended in NIST SP 800-53, Recommended SecurityControls for Federal Information Systems.NIST SP 800-55, Revision 1, differs from NIST SP 800-53A in that it provides a quantitativeapproach to measuring and analyzing security controls implementation and effectiveness at theinformation system and program levels, aggregated across multiple individual efforts. It alsoprovides an approach for aggregating information from multiple information systems to measureand analyze information security from an enterprise-level perspective. NIST SP 800-53Aprovides procedures for assessing if the security controls are implemented and operating asintended according to the information system security plan for the system. The assessment dataproduced as a result of applying NIST SP 800-53A assessment procedures can serve as a datasource for information security measurement.4
Information security measurement results described in this guide will provide inputs into theinformation security program activities described in a number of NIST publications, including: NIST SP 800-100, Information Security Handbook: A Guide for Managers; and NIST SP 800-65, Integrating IT Security into the Capital Planning and InvestmentControl Process.These measures can also be used to assist with prioritization for the continuous monitoring ofsecurity controls, as described in NIST SP 800-37, Guide for the Security Certification andAccreditation of Federal Information Systems.1.6Document OrganizationThe remaining sections of this guide discuss the following: Section 2, Roles and Responsibilities, describes the roles and responsibilities of agencystaff that have a direct interest in the success of the information security program, and inthe establishment of an information security measurement program. Section 3, Information Security Measures Background, provides guidelines on thebackground and definition of information security measures, the benefits ofimplementation, various types of information security measures, and the factors thatdirectly affect success of an information security measurement program. Section 4, Legislative and Strategic Drivers, links information security to strategicplanning through relevant legislation and guidelines. Section 5, Measures Development Process, presents the approach and process used fordevelopment of information security measures. Section 6, Information Security Measurement Implementation, discusses those factorsthat can affect the implementation of an information security measurement program.This guide contains four appendices. Appendix A, Candidate Measures, provides practicalexamples of information security measures that can be used or modified to meet specific agencyrequirements. Appendix B provides a list of acronyms used in this document. Appendix C listsreferences. Appendix D lists specifications for minimum security requirements taken fromFederal Information Processing Standard (FIPS) 200, Minimum Security Requirements forFederal Information and Information Systems.5
2.ROLES AND RESPONSIBILITIESThis section outlines the key roles and responsibilities for developing and implementinginformation security measures. While information security is the responsibility of all membersof the organization, the positions described in Sections 2.1 through 2.6 are key informationsecurity stakeholders that should work to instill a culture of information security awarenessacross the organization.2.1Agency HeadThe specific Agency Head responsibilities related to information security measurement are asfollows: Ensuring that information security measures are used in support of agency strategic andoperational planning processes to secure the organization’s mission; Ensuring that information security measures are integrated into annual reporting on theeffectiveness of the agency information security program by the Chief InformationOfficer (CIO); Demonstrating support for information security measures development andimplementation, and communicating official support to the agency; Ensuring that information security measurement activities have adequate financial andhuman resources for success; Actively promoting information security measurement as an essential facilitator ofinformation security performance improvement throughout the agency; and Approving policy to officially institute measures collection.Chief Information Officer 22.2The Chief Information Officer (CIO) has the following responsibilities related to informationsecurity measurement:2 Using information security measures to assist in monitoring compliance with applicableinformation security requirements; Using information security measures in annually reporting on effectiveness of the agencyinformation security program to the agency head; Demonstrating management’s commitment to information security measuresdevelopment and implementation through formal leadership;When an agency has not designated a formal Chief Information Officer position, FISMA requires the associated responsibilitiesto be handled by a comparable agency official.6
Formally communicating the importance of using information security measures tomonitor the overall health of the information security program and to comply withapplicable regulations; Ensuring information security measurement program development and implementation; Allocating adequate financial and human resources to the information securitymeasuremen
NIST Special Publication 800-55 Revision 1 . Performance M. easurement Guide for Information Security . Elizabeth Chew, Marianne Swanson, Kevin Stine, Nadya Bartol, Anthony Brown, and Will Robinson I N F O R M A T I O N S E C U R I T Y Computer Security Division Information Technology Laboratory Gaithersburg, MD 20899-8930 July 2008File Size: 1MBPage Count: 80Explore furtherNIST Special Publication (SP) 800-55 Rev. 1, Performance .csrc.nist.gov14 Cybersecurity Metrics KPIs You Must Track in 2021 .www.upguard.comTop 20 Cybersecurity KPIs to Track in 2021 SecurityScorecardsecurityscorecard.comNIST Special Publication 800-series General Information NISTwww.nist.govKey Components of an Information Security Metrics Program Plancore.ac.ukRecommended to you b
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
10 tips och tricks för att lyckas med ert sap-projekt 20 SAPSANYTT 2/2015 De flesta projektledare känner säkert till Cobb’s paradox. Martin Cobb verkade som CIO för sekretariatet för Treasury Board of Canada 1995 då han ställde frågan
service i Norge och Finland drivs inom ramen för ett enskilt företag (NRK. 1 och Yleisradio), fin ns det i Sverige tre: Ett för tv (Sveriges Television , SVT ), ett för radio (Sveriges Radio , SR ) och ett för utbildnings program (Sveriges Utbildningsradio, UR, vilket till följd av sin begränsade storlek inte återfinns bland de 25 största
Hotell För hotell anges de tre klasserna A/B, C och D. Det betyder att den "normala" standarden C är acceptabel men att motiven för en högre standard är starka. Ljudklass C motsvarar de tidigare normkraven för hotell, ljudklass A/B motsvarar kraven för moderna hotell med hög standard och ljudklass D kan användas vid
LÄS NOGGRANT FÖLJANDE VILLKOR FÖR APPLE DEVELOPER PROGRAM LICENCE . Apple Developer Program License Agreement Syfte Du vill använda Apple-mjukvara (enligt definitionen nedan) för att utveckla en eller flera Applikationer (enligt definitionen nedan) för Apple-märkta produkter. . Applikationer som utvecklas för iOS-produkter, Apple .
och krav. Maskinerna skriver ut upp till fyra tum breda etiketter med direkt termoteknik och termotransferteknik och är lämpliga för en lång rad användningsområden på vertikala marknader. TD-seriens professionella etikettskrivare för . skrivbordet. Brothers nya avancerade 4-tums etikettskrivare för skrivbordet är effektiva och enkla att
Den kanadensiska språkvetaren Jim Cummins har visat i sin forskning från år 1979 att det kan ta 1 till 3 år för att lära sig ett vardagsspråk och mellan 5 till 7 år för att behärska ett akademiskt språk.4 Han införde två begrepp för att beskriva elevernas språkliga kompetens: BI
**Godkänd av MAN för upp till 120 000 km och Mercedes Benz, Volvo och Renault för upp till 100 000 km i enlighet med deras specifikationer. Faktiskt oljebyte beror på motortyp, körförhållanden, servicehistorik, OBD och bränslekvalitet. Se alltid tillverkarens instruktionsbok. Art.Nr. 159CAC Art.Nr. 159CAA Art.Nr. 159CAB Art.Nr. 217B1B
