Measurement & Business Case Working Group
Organizations
Measurement Standards and Guidelines
Measurement Frameworks
Articles and Aids
Security Requirements, Goals, and Objectives
Tools and Techniques
Practical Software and Systems Measurement
Practical Software and Systems Measurement (PSM) was developed to meet today's software and system technical and management challenges. It is an information-driven measurement process that addresses the unique technical and business goals of an organization. The guidance in PSM represents the best practices used by measurement professionals within the software and system acquisition and engineering communities.
International Systems Security Engineering Association
Society's ever-increasing reliance on information has made the protection of that information imperative. Many products, systems, and services are needed to maintain and protect information. As a result, the focus of systems security engineering has expanded from one primarily concerned with safeguarding classified government data to broader applications including financial transactions, contractual agreements, personal information, and the Internet.
OMG™ is an international, open membership, not-for-profit computer industry consortium. OMG Task Forces develop enterprise integration standards for a wide range of technologies, and an even wider range of industries. OMG’s modeling standards enable visual design, execution, and maintenance of software and other processes. OMG’s middleware standards and profiles are based on the Common Object Request Broker Architecture (CORBA®) and support a wide variety of industries. All of their specifications may be downloaded without charge from their Web site.
Carnegie Mellon® Software Engineering Institute
Capability Maturity ModelĀ® Integration (CMMI) is a process improvement approach that provides organizations with the essential elements of effective processes. It can be used to guide process improvement across a project, a division, or an entire organization. CMMI helps integrate traditionally separate organizational or an entire organization. CMMI helps integrate traditionally separate organizational functions, set process improvement goals and priorities, provide guidance for quality processes, and provide a point of reference for appraising current processes.
NIST Computer Security Division
The CSD mission is to provide standards and technology to protect information systems against threats to the confidentiality of information, integrity of information and processes, and availability of information and services in order to build trust and confidence in Information Technology (IT) systems.
The Project Management Body of Knowledge (PMBOK) is the sum of knowledge within the profession of project management.
Measurement standards and guidelines
NIST Special Publication 800-55 Revision 1, Performance Measurement Guide for Information Security
Provides guidelines on how an organization, through the use of measures, identifies the adequacy of in-place security controls, policies, and procedures. It provides an approach to help management decide where to invest in additional information security resources, identify and evaluate nonproductive security controls, and prioritize security controls for continuous monitoring. It explains the measurement development and implementation processes and how measures can be used to adequately justify information security investments and support risk-based decisions.
ISO/IEC CD 27004, Information Security Management Measurement
Provides guidance on the development and use of measures in order to assess the effectiveness of information security management system processes, control objectives and controls as specified in ISO/IEC 27001. This standard is applicable to all types and sizes of organization.
ISO/IEC 15939:2007, Systems and Software Engineering - Measurement Process
Identifies the activities and tasks that are necessary to successfully identify, define,select, apply, and improve measurement within an overall project or organisational measurement structure. It also provides definitions for measurement terms commonly used within the software and system engineering industry.
Practical Measurement Framework for Software Assurance and Information Security, Version 1.0, October 2008
Program Assessment Reporting Tool (PART)
The PART was developed to assess and improve program performance so that the Federal government can achieve better results. A PART review helps identify a program’s strengths and weaknesses to inform funding and management decisions aimed at making the program more effective.
The President's Management Agenda (PMA) Scorecard
The Executive Branch Management Scorecard tracks how well the departments and major agencies are executing the five government-wide management initiatives.
ISO/IEC 15408, Evaluation criteria for IT security (a.k.a. Common Criteria)
ISO/IEC 15443, A framework for IT security assurance
Corporate Information Security Working Group Report of the Best Practices and Metrics Teams
Sahinoglu, Mehmet. "Security Meter: A Practical Decision-Tree Model to Quantify Risk." IEEE Security & Privacy Vol. 3, No. 3 (May/June 2005), pp. 18-24. Available on IEEE Digital Library.
SSE CMM Metrics Overview and SSE CMM Metrics
Security Requirements, Goals, and Objectives
NIST Federal Information Processing Standard (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems
NIST SP 800-53, Rev 1, Recommended Security Controls for Federal Information Systems
ISO/IEC 27001, Information Security Management System (ISMS) Requirements
ISO/IEC 27002, Code of Practice for Information Security Management
ISO/IEC 21827, System Security Engineering Capability Maturity Model (SSE CMM)
Control Objectives for Information Technology (COBIT)
President's Management Agenda (PMA) Scorecard
Program Assessment Reporting Tool (PART)
Get a PDF Reader