Welcome » IT Booklets » Information Security » Security Monitoring » Condition Monitoring » Metrics
Metrics can be used to measure security policy implementation, the effectiveness and efficiency of security services delivery, and the impact of security events on business processes. The measurement of security characteristics can allow management to increase control and drive improvements to the security process.
Metrics may not measure conformance to policy directly. Policies frequently are general statements that lack the specificity necessary for measurement. Metrics generally are formed to measure conformance to the standards and procedures that are used to implement policies. Those standards may be developed by the institution, developed or recognized by the financial institution industry (e.g. BITS), or developed or recognized for business in general. An example of the third is ISO 17799.
The adoption of standards, however, does not mean that a metrics system can or should be instituted. Metrics are best used in mature security processes, when
The degree to which a security metrics program mitigates risk is a function of the comprehensiveness and accuracy of the measurements and the analysis and use of those measurements. The measurements should be sufficient to justify security decisions that affect the institution's security posture, allocate resources to security-related tasks, and provide a basis for security-related reports.