Following requests from organizations for guidance on measurement programs that support information security goals, the National Institute of Standards and Technology (NIST) has released NIST Special Publication (SP) 800-55 Revision 2: Measurement Guide for Information Security. This two-volume draft document offers information on developing an effective information security measurement program, and a flexible approach for developing information security measures to meet organizational performance goals. NIST is accepting public comments on this draft guidance until March 18, 2024.
The publication is designed to be used with any risk management framework, including NIST’s Cybersecurity Framework or Risk Management Framework. According to NIST, each volume, accessible on NIST.gov, is intended for different audiences:
“Volume 1 – Identifying and Selecting Measures” was written mainly for information security specialists. The document offers a flexible approach to the development, selection, and prioritization of information security measures, and explores both quantitative and qualitative assessment. It also provides basic guidance on data analysis techniques as well as impact and likelihood modeling.
The authors note that qualitative descriptions are appropriate in certain circumstances, explaining that some organizations may want to use a mixture of qualitative and quantitative approaches. Ultimately, focusing on measurement can aid communication within an organization, potentially helping to improve both security and resource allocation.
“Volume 2 – Developing an Information Security Measurement Program,” aimed primarily at the C-suite, is a methodology for how an organization can develop an information security measurement program. It also offers a multi-step workflow for implementing such a program over time.
“When technical teams communicate with management about information security, metrics provide a common language, using trends and numbers to bridge gaps in understanding,” the authors noted. “Organizations want to be able to assess if controls, policies, and procedures are working effectively, efficiently, and how the organization is impacted. Metrics can be used to help prioritize areas for growth, improvement, or re-focusing resources.”
NIST is also in the process of proposing the establishment of a “Community of Interest (CoI)” for stakeholders who are interested in information security measurement. The COI will work together to share expertise, refine the body of knowledge and resources, and identify opportunities for growth and improvement. To get involved or receive more information, contact [email protected].
Access the documents and instructions for submitting responses via NIST’s news item.