The quintessential guide to evaluating the effectiveness of security controls applied to information systems and information security programs has been updated to reflect recent security advances. The National Institute of Standards and Technology published Special Publication 800-55 Revision 1, Performance Measurement Guide for Information Security, in late July.
For the past five years, SP 800-55 has provided information technology and security professionals with a process for developing, selecting and implementing performance measures to facilitate decision making, improve performance and increase accountability. The guide describes how an agency can use its information system and program security controls to succeed in achieving its mission.
The update expands upon NIST's previous work in this area. It provides additional program-level guidelines for measuring information security performance in support of organizational strategic goals. It also aligns performance measurement with the security controls in NIST SP 800-53, Recommended Security Controls for Federal Information Systems.
A PDF of the new SP 800-55 Revision 1 is available at: http://csrc.nist.gov/publications/PubsSPs.html#800-55_Rev1.