CCAK

Hi All,

NIST is planning to update NIST Special Publication (SP) 800-55 Revision 1, Performance Measurement Guide for Information Security. For more details on an opportunity to provide input, see the Call for Comments which is open through November 19, 2020.

Even as cyber security-based risks and the costs of dealing with those risks are increasing, measuring cybersecurity remains an under-developed topic-one in which there is not even a standard taxonomy for terms such as "measurements" and "metrics." Development of, and agreement on, reliable ways to measure risk and effectiveness would be a major advancement and contribution not only to the cybersecurity community but much more broadly.

Building on its previous efforts, NIST is undertaking a more focused program on measurements related to cybersecurity.  The goal is to support the development and alignment of technical measurements to determine the effect of cybersecurity initiatives and responses on high-level organizational objectives that will support decision making by senior executives and oversight by boards of directors. The initiative will involve and rely upon extensive collaboration with the research, business, and government sectors, including those already offering measurement tools and services. 

------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------

Thank you for sharing this, @Michael Roza. I haven't thought much about measuring cybersecurity. ​​I do think it is an important topic. What are your thoughts on how cybersecurity should be measured? 

Does anyone else have thoughts on how cybersecurity should be measured? Or how they do measure cybersecurity? 

Also, it looks like the comment period has just recently been extended to December 10, 2020!

Best,

------------------------------
Anna Campbell Schorr
Training Content Development
Cloud Security Alliance
[email protected]
------------------------------

Original Message:
Sent: Nov 16, 2020 11:03:49 PM
From: Michael Roza
Subject: NIST Special Publication (SP) 800-55 Revision 1, Performance Measurement Guide for Information Security Call For Comments

Hi All,

NIST is planning to update NIST Special Publication (SP) 800-55 Revision 1, Performance Measurement Guide for Information Security. For more details on an opportunity to provide input, see the Call for Comments which is open through November 19, 2020.

Even as cyber security-based risks and the costs of dealing with those risks are increasing, measuring cybersecurity remains an under-developed topic-one in which there is not even a standard taxonomy for terms such as "measurements" and "metrics." Development of, and agreement on, reliable ways to measure risk and effectiveness would be a major advancement and contribution not only to the cybersecurity community but much more broadly.

Building on its previous efforts, NIST is undertaking a more focused program on measurements related to cybersecurity.  The goal is to support the development and alignment of technical measurements to determine the effect of cybersecurity initiatives and responses on high-level organizational objectives that will support decision making by senior executives and oversight by boards of directors. The initiative will involve and rely upon extensive collaboration with the research, business, and government sectors, including those already offering measurement tools and services. 

------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------