PM-6—Measures Of Performance
PRIVACY
>Control Description
Develop, monitor, and report on the results of information security and privacy measures of performance.
>Cross-Framework Mappings
>Supplemental Guidance
Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program. To facilitate security and privacy risk management, organizations consider aligning measures of performance with the organizational risk tolerance as defined in the risk management strategy.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is the process for developing and implementing security and privacy measures in organizational systems?
- •How does the organization ensure security measures are consistent across systems?
- •Who oversees the implementation of security and privacy measures?
- •How are security measures validated and tested for effectiveness?
- •What governance exists for updating security measures in response to new threats or vulnerabilities?
Technical Implementation:
- •What enterprise-level security and privacy tools are deployed?
- •How are security measures consistently implemented across systems?
- •What automation or orchestration tools support security measure deployment?
- •How are security measures monitored for effectiveness at the enterprise level?
- •What centralized security services or capabilities are available to systems?
Evidence & Documentation:
- •Provide documentation of security and privacy measures implemented organization-wide.
- •Provide evidence of measure consistency across systems.
- •Provide security measure effectiveness assessments.
- •Provide records of measure updates in response to new threats.
Ask AI
Configure your API key to use AI features.