G.5.3 Security metrics
Control Details
Objective
Provide the basis for the measurement of an effective plan for tracking and realizing software security objectives within an organization.
Definition
Identify and regularly review metrics to measure the effectiveness of the software security program, including establishing Key Performance Indicators (KPIs). The regular review can drive budgeting and resource allocations and measure performance against risk appetite and risk tolerance statements. Publish data/dashboards about the state of software security within the organization. Automate metrics collection via security telemetry, as possible, to gather measurements to enhance efficiency and objectivity.
Assessment Questions
- What security metrics do you track to indicate how you are doing relative to developing secure software products and having an effective and efficient software security program (e.g., security outcomes, MTTR)?
- Are these metrics collected automatically or manually?