WIXLIB

NIST Special Publication 800-55 Revision 1Performance Measurement Guidefor Information SecurityElizabeth Chew, Marianne Swanson, Kevin Stine,Nadya Bartol, Anthony Brown, and Will RobinsonI N F O R M A T I O NS E C U R I T YComputer Security DivisionInformation Technology LaboratoryNational Institute of Standards and TechnologyGaithersburg, MD 20899-8930July 2008U.S. Department of CommerceCarlos M. Gutierrez, SecretaryNational Institute of Standards and TechnologyJames M. Turner, Deputy Director

Reports on Computer Systems TechnologyThe Information Technology Laboratory (ITL) at the National Institute of Standards and Technology(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’smeasurement and standards infrastructure. ITL develops tests, test methods, reference data, proof ofconcept implementations, and technical analyses to advance the development and productive use ofinformation technology. ITL’s responsibilities include the development of management, administrative,technical, and physical standards and guidelines for the cost-effective security and privacy of sensitiveunclassified information in federal computer systems. This Special Publication 800-series reports on ITL’sresearch, guidelines, and outreach efforts in information security, and its collaborative activities withindustry, government, and academic organizations.ii

AuthorityThis document has been developed by the National Institute of Standards and Technology (NIST) infurtherance of its statutory responsibilities under the Federal Information Security Management Act(FISMA) of 2002, Public Law 107-347.NIST is responsible for developing standards and guidelines, including minimum requirements, and forproviding adequate information security for all agency operations and assets, but such standards andguidelines shall not apply to national security systems. This guideline is consistent with the requirementsof the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing AgencyInformation Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplementalinformation is provided in A-130, Appendix III.This guideline has been prepared for use by federal agencies. It may also be used by nongovernmentalorganizations on a voluntary basis and is not subject to copyright regulations. (Attribution would beappreciated by NIST.)Nothing in this document should be taken to contradict standards and guidelines made mandatory andbinding on federal agencies by the Secretary of Commerce under statutory authority. Nor should theseguidelines be interpreted as altering or superseding the existing authorities of the Secretary ofCommerce, Director of the OMB, or any other federal official.Certain commercial entities, equipment, or materials may be identified in thisdocument in order to describe an experimental procedure or concept adequately.Such identification is not intended to imply recommendation or endorsement by NIST,nor is it intended to imply that the entities, materials, or equipment are necessarily thebest available for the purpose.iii

AcknowledgementsThe authors wish to thank Joan Hash (NIST), Arnold Johnson (NIST), Elizabeth Lennon (NIST),Karen Scarfone (NIST), Kelley Dempsey (NIST), and Karen Quigg (MITRE) who revieweddrafts of this document and/or contributed to its development. The authors also gratefullyacknowledge and appreciate the many contributions from individuals and organizations in thepublic and private sectors whose thoughtful and constructive comments improved the quality andusefulness of this publication.iv

TABLE OF CONTENTSEXECUTIVE SUMMARY . VIII1.INTRODUCTION.11.11.21.31.41.51.62.ROLES AND RESPONSIBILITIES.62.12.22.32.42.52.63.Purpose and Scope .1Audience .2History.2Critical Success Factors .3Relationship to Other NIST Documents .4Document Organization .5Agency Head.6Chief Information Officer .6Senior Agency Information Security Officer.7Program Manager/Information System Owner.8Information System Security Officer.8Other Related Roles .8INFORMATION SECURITY MEASURES BACKGROUND.93.1Definition .93.2Benefits of Using Measures .103.3Types of Measures .113.3.1 Implementation Measures.133.3.2 Effectiveness/Efficiency Measures.133.3.3 Impact Measures .143.4Measurement Considerations.153.4.1 Organizational Considerations.153.4.2 Manageability .153.4.3 Data Management Concerns .163.4.4 Automation of Measurement Data Collection .163.5Information Security Measurement Program Scope.173.5.1 Individual Information Systems.173.5.2 System Development Life Cycle .173.5.3 Enterprise-Wide Programs.194.LEGISLATIVE AND STRATEGIC DRIVERS.204.1Legislative Considerations.204.1.1 Government Performance Results Act.204.1.2 Federal Information Security Management Act .214.2Federal Enterprise Architecture .224.3Linkage Between Enterprise Strategic Planning and Information Security .235.MEASURES DEVELOPMENT PROCESS.245.1Stakeholder Interest Identification.25v

5.2Goals and Objectives Definition.265.3Information Security Policies, Guidelines, and Procedures Review .275.4Information Security Program Implementation Review.275.5Measures Development and Selection .285.5.1 Measures Development Approach.295.5.2 Measures Prioritization and Selection .295.5.3 Establishing Performance Targets .305.6Measures Development Template.315.7Feedback Within the Measures Development Process .336.INFORMATION SECURITY MEASUREMENT IMPLEMENTATION .356.16.26.36.46.5Prepare for Data Collection .35Collect Data and Analyze Results.36Identify Corrective Actions.38Develop Business Case and Obtain Resources.38Apply Corrective Actions .40APPENDIX A: CANDIDATE MEASURES . A-1APPENDIX B: ACRONYMS .B-1APPENDIX C: REFERENCES. C-1APPENDIX D: SPECIFICATIONS FOR MINIMUM SECURITY REQUIREMENTS . D-1vi

LIST OF FIGURESFigure 1-1. Information Security Measurement Program Structure .3Figure 3-1. Information Security Program Maturity and Types of Measurement .12Figure 5-1. Information Security Measures Development Process .25Figure 5-2. Information Security Measures Trend Example .31Figure 6-1. Information Security Measurement Program Implementation Process .35LIST OF TABLESTable 1. Measurement During System Development .18Table 2. Measures Template and Instructions .32vii

EXECUTIVE SUMMARYThis document is a guide to assist in the development, selection, and implementation of measuresto be used at the information system and program levels. These measures indicate theeffectiveness of security controls applied to information systems and supporting informationsecurity programs. Such measures are used to facilitate decision making, improve performance,and increase accountability through the collection, analysis, and reporting of relevantperformance-related data—providing a way to tie the implementation, efficiency, andeffectiveness of information system and program security controls to an agency’s success inachieving its mission. The performance measures development process described in this guidewill assist agency information security practitioners in establishing a relationship betweeninformation system and program security activities under their purview and the agency mission,helping to demonstrate the value of information security to their organization.A number of existing laws, rules, and regulations—including the Clinger-Cohen Act, theGovernment Performance and Results Act (GPRA), the Government Paperwork Elimination Act(GPEA), and the Federal Information Security Management Act (FISMA)—cite informationperformance measurement in general, and information security performance measurement inparticular, as a requirement. In addition to legislative compliance, agencies can use performancemeasures as management tools in their internal improvement efforts and link implementation oftheir information security programs to agency-level strategic planning efforts.The following factors must be considered during development and implementation of aninformation security measurement program: Measures must yield quantifiable information (percentages, averages, and numbers); Data that supports the measures needs to be readily obtainable; Only repeatable information security processes should be considered for measurement;and Measures must be useful for tracking performance and directing resources.The measures development process described in this document ensures that measures aredeveloped with the purpose of identifying causes of poor performance and pointing toappropriate corrective actions.This document focuses on the development and collection of three types of measures: Implementation measures to measure execution of security policy; Effectiveness/efficiency measures to measure results of security services delivery; and Impact measures to measure business or mission consequences of security events.viii

The types of measures that can realistically be obtained, and that can also be useful forperformance improvement, depend on the maturity of the agency’s information security programand the information system’s security control implementation. Although different types ofmeasures can be used simultaneously, the primary focus of information security measures shiftsas the implementation of security controls matures.ix