The process for performance measures implementation recommended by NIST involves six subordinate tasks, and is shown in Figure 7-2:
• Phase 1: Prepare for data collection; identify, define, develop, and select information security measures.
• Phase 2: Collect data and analyze results; collect, aggregate, and consolidate metric data collection and compare measurements with targets (gap analysis).
• Phase 3: Identify corrective actions; develop a plan to serve as the roadmap for closing the gap identified in phase 2. This includes determining the range of corrective actions, prioritizing corrective actions based on overall risk mitigation goals, and selecting the most appropriate corrective actions.
• Phases 4: Develop the business case.
• Phase 5: Obtain resources; address the budgeting cycle for acquiring resources needed to implement remediation actions identified in phase 3.
• Phase 6: Apply corrective actions; close the gap