The National Institute of Standards and Technology revised a special publication designed to guide organizations in the measurement of their cybersecurity infrastructure’s effectiveness.
NIST on Wednesday launched a solicitation for public comment for its draft guidance, which can be implemented alongside the institute’s Cybersecurity Framework.
The first of the two-volume special publication centers on quantitative and qualitative metrics, data analysis techniques and impact and likelihood modeling. NIST provides recommendations on the approach that best fits an organization. The second part of the document discusses the development and implementation of an information security management program.
“Everyone manages risk, but many organizations tend to use qualitative descriptions of their risk level, using ideas like stoplight colors or five-point scales,” said Katherine Schroeder, one of the publication’s authors. “Our goal is to help people communicate with data instead of vague concepts.”
The public comment period will close on March 18.
