I. Define the purpose of InfoSec performance management and the data that it produces.
II. Explain what the purpose of performance measurements (or measures) are and why they need to be monitored in order to make managerial decisions, hold personnel accountable, and improve the effectiveness of the InfoSec function.
III. Review the three types of measurements that organizations commonly apply to performance measurement:
• Effectiveness of the execution of InfoSec policies
• Efficiency of the delivery of InfoSec services
• Impacts of an incident or other security event on the organization or its mission
IV. Classify the four factors that are critical to an InfoSec performance program as outlined in SP 800-55, Rev. 1.
V. Outline the two major activities as recommended by the NIST with respect to InfoSec measurement development processes: identification and definition and measuring development and selection. Additionally, examine the seven phases that are comprised within these activities.
VI. Explain how the 60 percent rule can be used by security personnel when exploring the issues of system and network performance.