TABLE OF CONTENTS
E ................... VIII
................... ......1
.................. .....1
.................. .....2
.................. .....2
..........................4
.....................5
R .................. .....6
................... ......6
................... ......6
.................. .....7
................... ......8
................... ......8
................... ......8
3. .................. .....9
.................. .....9
.................. ...10
.................. ...11
.................. ...13
.................. ...13
.................. ...14
.................. ...15
.................. ...15
................... ....16
................... ....16
.................. ...17
.................. ...17
3 .................. ...17
.................. ...19
L ................... ....20
4.1 Legislative Considerations.............................................................................................20
4.1.1 Government Performance Results Act.......................................................................20
4.1.2 Federal Information Security Management Act ........................................................21
4.2 Federal Enterprise Architecture.....................................................................................22
4.3 Linkage Between Enterprise Strategic Planning and Information Security ..................23
5. MEASURES DEVELOPMENT PROCESS......................................................................24
5.1 Stakeholder Interest Identification.................................................................................25
XECUTIVE SUMMARY .............................................................................. . ...
..
..
..
..
..
..
..
..
2.4 Program Manager/Information System Owner...................................... .
....
....
....
....
....
....
....
....
....
....
....
....
....
....
....
....
....
....
1. INTRODUCTION..................................................................................... . .
1.1 Purpose and Scope.............................................................................. . ...
1.2 Audience............................................................................................. .
...
...
1.3 History................................................................................................. .
1.4 Critical Success Factors...................................................................................................3
1.5 Relationship to Other NIST Documents................................................
1.6 Document Organization..............................................................................
2. OLES AND RESPONSIBILITIES....................................................... . ...
2.1 Agency Head....................................................................................... . .
2.2 Chief Information Officer .................................................................. . .
2.3 Senior Agency Information Security Officer...................................... . ...
2.5 Information System Security Officer................................................ . .
2.6 Other Related Roles.......................................................................... . .
INFORMATION SECURITY MEASURES BACKGROUND.......... . ...
3.1 Definition.......................................................................................... . ...
3.2 Benefits of Using Measures.............................................................. .
...
...
3.3 Types of Measures............................................................................ .
...3.3.1 Implementation Measures............................................................. .
...3.3.2 Effectiveness/Efficiency Measures............................................... .
...3
...
.3.3 Impact Measures........................................................................... .
...3.4 Measurement Considerations............................................................ .
3.4.1 Organizational Considerations...................................................... .
.
3.4.2 Manageability ............................................................................................................15
3.4.3 Data Management Concerns......................................................... .
3.4.4 Automation of Measurement Data Collection.............................. . .
3.5 Information Security Measurement Program Scope......................... .
3 ...
...
.5.1 Individual Information Systems.................................................... .
....5.2 System Development Life Cycle .................................................. .
...3.5.3 Enterprise-Wide Programs............................................................ .
.4. EGISLATIVE AND STRATEGIC DRIVERS.................................. .
v