The National Institute of Standards and Technology has released the final version of Special Publication 800-55, titled “Measurement Guide for Information Security.” The NIST Computer Security Resource Center said Wednesday that the special publication forms part of NIST’s Measurements for Information Security project, which seeks to develop approaches in selecting, assessing and managing measures and metrics to help organizations manage their information security risk.
The special publication comes in two volumes, with each focusing on different stages of a cybersecurity program’s implementation, according to Nextgov/FCW.
Table of Contents
Security Measurement and Assessment
Volume 1 of the publication, titled “Identifying and Selecting Measures,” tackles technical issues related to security measurement and assessment. Updates to the volume include an introductory guidance on statistical analysis; new information on measures documentation, reporting, data quality and uncertainty; and expanded information on selecting and prioritizing measures.
Translating Findings Into Results
Volume 2, titled “Developing an Information Security Measurement Program,” seeks to bring leadership into the findings resulting from the assessments discussed in volume 1 to translate those findings into results. Updates to the volume include a new information security measurement program development and implementation workflow; and various expanded sections, including those on measurement program benefits, the programmatic value of metrics and data management concerns.
SP 800-55 serves to complement other NIST network and information security publications.