Transcription of Performance measurement guide for information security
1 Performance MNIST Special Publication 800-55 Revision 1 easurement guide for information security Elizabeth Chew, Marianne Swanson, Kevin Stine, Nadya Bartol, Anthony Brown, and Will Robinson I N F O R M A T I O N S E C U R I T Y Computer security Division information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 July 2008 Department of Commerce Carlos M. Gutierrez, Secretary National Institute of Standards and Technology James M. Turner, Deputy Director Reports on Computer Systems Technology nd Technology ship for the Nation s ce data, proof of ductive use of strative, s for the cost-effective security and privacy of sensitive unclassified information in federal computer systems.
2 This Special Publication 800-series reports on ITL s research, guidelines, and outreach efforts in information security , and its collaborative activities with industry, government , and academic organizations. The information Technology Laboratory (ITL) at the National Institute of Standards a(NIST) promotes the economy and public welfare by providing technical leadermeasurement and standards infrastructure. ITL develops tests, test methods, referenconcept implementations, and technical analyses to advance the development and proinformation technology. ITL s responsibilities include the development of management, adminitechnical, and physical standards and guidelineii Authority This document has been developed by the National Institute of Standards and Technology (NIST) in nagement Act rements, and for t such standards and security systems.
3 This guideline is consistent with the requirements ency s. Supplemental vided in A-130, Appendix III. y nongovernmental tion would be Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. furtherance of its statutory responsibilities under the Federal information security Ma(FISMA) of 2002, Public Law 107-347. NIST is responsible for developing standards and guidelines, including minimum requiproviding adequate information security for all agency operations and assets, buguidelines shall not apply to national of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing AgInformation Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sectioninformation is proThis guideline has been prepared for use by federal agencies.
4 It may also be used borganizations on a voluntary basis and is not subject to copyright regulations. (Attribuappreciated by NIST.) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the en materials, or equipment are necessarily the best available for the purpose. tities,iii Acknowledgements zabeth Lennon (NIST), ) who reviewed gratefully ciate the many contributions from individuals and organizations in the public and private sectors whose thoughtful and constructive comments improved the quality and usefulness of this publication. The authors wish to thank Joan Hash (NIST), Arnold Johnson (NIST), EliKaren Scarfone (NIST), Kelley Dempsey (NIST), and Karen Quigg (MITRE drafts of this document and/or contributed to its development.
5 The authors also acknowledge and appreiv TABLE OF CONTENTS VIII ..1 ..1 ..2 ..2 ..4 ..5 ..6 ..6 ..6 ..7 ..8 ..8 ..8 ..9 ..9 ..10 ..11 ..13 ..13 ..14 ..15 ..15 ..16 ..16 ..17 ..17 ..17 ..19 ..20 Legislative government Performance Results Federal information security Management Federal Enterprise Linkage Between Enterprise Strategic Planning and information 5. MEASURES DEVELOPMENT Stakeholder Interest XECUTIVE .. Program Manager/ information System .. Purpose and .. Critical Success Relationship to Other NIST Documents .. Document OLES AND .. Agency .. Chief information Officer .. Senior Agency information security .. information System security .. Other Related .. information security MEASURES .. Benefits of Using.
6 Types of .. Implementation .. Effectiveness/Efficiency .. Impact .. measurement . Organizational .. Data Management . Automation of measurement Data .. information security measurement Program . Individual information .. System Development Life .. Enterprise-Wide ..4. EGISLATIVE AND STRATEGIC .v Goals and Objectives ..26 ..27 ..27 ..28 ..29 ..29 ..30 ..31 ..33 IN ..35 ..35 ..36 ..38 ..38 .. APPENDIX B: APPENDIX C: C-1 APPENDIX D: SPECIFICATIONS FOR MINIMUM security information security Policies, Guidelines, and Procedures information security Program Implementation .. Measures Development and .. Measures Development .. Measures Prioritization and .. Establishing Performance .
7 Measures Development .. Feedback Within the Measures Development ..6. NFORMATION security measurement Prepare for Data .. Collect Data and Analyze .. Identify Corrective Develop Business Case and Obtain Apply Corrective APPENDIX A: CANDIDATE A-1vi LIST OF FIGURES ..3 ..25 Figure 5-2. information security Measures Trend Figure 6-1. information security measurement Program Implementation Table 1. measurement During System Table 2. Measures Template and Figure 1-1. information security measurement Program .. 3-1. information security Program Maturity and Types of Figure 5-1. information security Measures Development .. LIST OF TABLES vii EXECUTIVE SUMMARY entation of measures ate the upporting information prove Performance , levant cy, and s success in rocess described in this guide tionship between agency mission, n Act, the k Elimination Act t (FISMA) cite information nce measurement in tion to legislative compliance, agencies can use Performance measures as management tools in their internal improvement efforts and link implementation of ts.
8 Ent and implementation of an d numbers); information security processes should be considered for measurement ; d directing resources. easures are This document focuses on the development and collection of three types of measures: Implementation measures to measure execution of security policy; Effectiveness/efficiency measures to measure results of security services delivery; and Impact measures to measure business or mission consequences of security events. This document is a guide to assist in the development, selection, and implemto be used at the information system and program levels. These measures indiceffectiveness of security controls applied to information systems and ssecurity programs. Such measures are used to facilitate decision making, imand increase accountability through the collection, analysis, and reporting of reperformance-related data providing a way to tie the implementation, efficieneffectiveness of information system and program security controls to an agencyachieving its mission.
9 The Performance measures development pwill assist agency information security practitioners in establishing a relainformation system and program security activities under their purview and the helping to demonstrate the value of information security to their organization. A number of existing laws, rules, and regulations including the Clinger-CoheGovernment Performance and Results Act (GPRA), the government Paperwor(GPEA), and the Federal information security Management Acperformance measurement in general, and information security performaparticular, as a requirement. In additheir information security programs to agency-level strategic planning efforThe following factors must be considered during developminformation security measurement program: Measures must yield quantifiable information (percentages, averages, an Data that supports the measures needs to be readily obtainable; Only repeatable and Measures must be useful for tracking Performance anThe measures development process described in this document ensures that mdeveloped with the purpose of identifying causes of poor Performance and pointing to appropriate corrective actions.)
10 Viii ix ful for ent types of ary focus of information security measures shifts as the implementation of security controls matures. The types of measures that can realistically be obtained, and that can also be useperformance improvement, depend on the maturity of the agency s information security programand the information system s security control implementation. Although differmeasures can be used simultaneously, the prim1. INTRODUCTION gulatory, financial, ions cite information ent in e Clinger-Cohen Act, the government mination Act (GPEA), and tion security rformance sures as on of their rmation security and accountability ata. They provide ty controls to an in its mission-critical activities. The Performance measures development is document will assist agency information security practitioners in ship between information system and program security activities under f information security plementation of elated activities.
