【文件属性】:
文件名称:NIST SP800-55.pdf
文件大小:569KB
文件格式:PDF
更新时间:2023-03-10 06:32:35
NIST SP800
The requirement to measure information technology (IT) security performance is driven by
regulatory, financial, and organizational reasons. A number of existing laws, rules, and
regulations cite IT performance measurement in general, and IT security performance
measurement in particular, as a requirement. These laws include the Clinger-Cohen Act,
Government Performance and Results Act (GPRA), Government Paperwork Elimination Act
(GPEA), and Federal Information Security Management Act (FISMA).
This document is intended to be a guide for the specific development, selection, and
implementation of IT system- level metrics to be used to measure the performance of information
security controls and techniques.1 IT security metrics are tools designed to facilitate decision
making and improve performance and accountability through collection, analysis, and reporting
of relevant performance-related data. This document provides guidance on how an organization,
through the use of metrics, identifies the adequacy of in-place security controls, policies, and
procedures. It provides an approach to help management decide where to invest in additional
security protection resources or identify and evaluate nonproductive controls. It explains the
metrics development and implementation processes and how metrics can be used to adequately
justify security control investments. The results of an effective IT security metrics program can
provide useful data for directing the allocation of information security resources and should
simplify the preparation of performance-related reports. Successful implementation of such a
program assists agencies in meeting the annual requirements of the Office of Management and
Budget (OMB) to report the status of agency IT security programs.