Does your organization collect and analyze security performance metrics to drive improvements to your cybersecurity program?
Explanation
Measuring to improve is the subject here, specifically whether you collect and analyze security performance metrics and use them to strengthen your cybersecurity program. Performance metrics might include mean time to detect/respond to incidents, vulnerability remediation times, security tool coverage, or false positive rates from security monitoring tools.
Evidence could include dashboards or reports showing security metrics over time with trend analysis, documentation of program improvements made based on metric findings, or meeting minutes where security metrics were reviewed and acted upon by leadership.
Implementation Example
Collect and analyze performance metrics using security tools and services to inform improvements to the cybersecurity program
ID: ID.IM-02.185
Context
- Function
- ID: IDENTIFY
- Category
- ID.IM: Improvement
- Sub-Category
- Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties
Related questions
- Does your organization regularly conduct self-assessments of critical services that incorporate current threat intelligence and adversary tactics, techniques, and procedures (TTPs)?
- Has your organization conducted third-party assessments or independent audits of your cybersecurity program within the past 12 months?
- Does your organization utilize automated tools or systems to continuously evaluate compliance with your established cybersecurity requirements?
- Does your organization have a process to identify and implement improvements to incident response procedures based on findings from exercises, tests, and reviews?
- Does your organization have a formal process to identify and implement improvements to business continuity, disaster recovery, and incident response plans based on exercises conducted with critical service providers and suppliers?
- Does your organization involve internal stakeholders (such as senior executives, legal, and HR) in security tests and exercises?

