Hi All,
NIST has published the final version of Special Publication (SP) 800-55, Measurement Guide for Information Security, which comprises:
• SP 800-55v1, Volume 1 - Identifying and Selecting Measures
• SP 800-55v2, Volume 2 - Developing an Information Security Measurement Program
Volume 1, Identifying and Selecting Measures, provides a flexible approach to the development, selection, and prioritization of information security measures. This volume explores both quantitative and qualitative assessment and provides basic guidance on data analysis techniques as well as impact and likelihood modeling. Major updates to SP 800-55v1 include:
• Introductory guidance on statistical analysis
• Exploration of terminology relevant to the measurement and analysis of information technology
• New information about measures documentation, reporting, data quality, and uncertainty
• Expanded information on selecting and prioritizing measures, including information about developing, testing, and validating measures; comparing measures and assessment results; prioritizing measures; using likelihood and impact modeling; weighing scales; and evaluating methods for supporting continuous improvement
Volume 2, Developing an Information Security Measurement Program, provides a flexible methodology and workflow. Major updates to SP 800-55v2 include:
• A new workflow for developing and implementing an information security measurement program
• Expanded sections on measurement program benefits, program scope, foundations for a successful program, roles and responsibilities, the programmatic value of metrics, measures communication, organizational considerations, manageability, and data management concerns
------------------------------
Michael Roza CPA, CISA, CIA, CC, CCSKv5, CCZTv1, MBA, EMBA, CSA
------------------------------