NIST revises guidelines for IT security metrics
- By William Jackson
- Jul 22, 2008
The National Institute of Standards and Technology has released a revised version of guidelines for developing metrics to ensure that agencies meet information technology security requirements.Special Publication 800-55, Revision 1
, titled 'Performance Measurement Guide for Information Security,' is intended to assist agencies in developing, selecting and implementing security measures used at the IT system and program levels. It uses security controls identified in NIST SP 800-53, 'Recommended Security Controls for Federal Information Systems,' as a basis for developing metrics that support the evaluation of IT security programs. The original version of SP 800-55 was published in 2003.
Requirements for securing and evaluating IT systems are included in a number of laws, including the Clinger-Cohen Act, the Government Performance and Results Act, the Government Paperwork Elimination Act and the Federal Information Security Management Act. However, the laws do not specify how agencies are to conduct the evaluations, so the NIST document provides the necessary guidance.
'The performance measures development process described in this guide will assist agency information security practitioners in establishing a relationship between information system and program security activities'and the agency mission, helping to demonstrate the value of information security to the organization,' the publication states.
Revision 1 expands on NIST's previous work to provide additional program-level guidelines for quantifying information security performance in support of organizations' strategic goals. The methodologies link IT security performance to agency performance through the strategic planning process.
Metrics, or measurable standards, monitor the effectiveness of goals and objectives established for IT security. They also evaluate the implementation of security policy, the results of security services and the impact of security events on an agency's mission.
According to the guidelines, worthwhile metrics must:
- Yield quantifiable information, such as percentages, averages and numbers.
- Be readily obtainable from repeatable processes.
- Be useful in tracking performance and allocating resources.
The document focuses on the development and collection of three types of measures:
- Implementation measures that gauge execution of security policy.
- Effectives and efficiency measures that assess the results.
- Impact measures that gauge business or mission consequences.
William Jackson is a Maryland-based freelance writer.