There are over a hundred pre-defined and well documented metrics that you can leverage for your internal metrics program. They are listed in the section entitled, The metrics the UCF currently tracks. If you do want to use one of these, then you should follow the instructions below for either manually or automatically routing the list and having your groups accept them (or not, as the case may be). If you don't want to use one of these, then skip to the next section about how to create your own metrics.

How do you make the determination regarding which metrics to implement?

What we highly suggest is that you do not attempt to implement all of the metrics the UCF tracks at once. In fact, what we do suggest is that you run a "pick three" campaign. Go through all of the metrics that we have presented here and then have your staff pick the first three that you want to implement. With those three picked, you'll next incorporate them into your policies and procedures, then gather, interpret, and present the information. While doing that, we'll suggest ahead of time that you track the time and effort it takes to put these together into a whole product (a set of policies, procedures, and the reports themselves). This will give you a good idea of the TCR (Total Cost of Reporting) behind each of the metrics.

Now the question becomes, which of the three should you pick? There are two ways that we've found that are popular with picking metrics. The first way (and simplest way) is to route the complete list of metrics around to the various audiences in your organization (governance, management, technical), and then have each audience simply pick from that list the metrics that it would like to implement. You can then prioritize the list down to the first three, second three, and so on. This is the "what would we like to report" method.

The second method is slightly different and more complex. You start with your list of controls that you have to follow and, for every control for which you need to create a report, you then select the corresponding metric. If you are using the UCF's control framework, each control that references a predefined metric has already been annotated for you. This method seems to be popular with our field editors. One of our distinguished field editors, Jason Taule, had this comment:

"You rightly talk about the importance of mapping metrics to controls. We've taken it one level higher and identified a series of key questions for which we want to maintain current answers. These key questions are linked to a group of metrics which individually measures performance against a set of given controls and collectively provides the insight we're after. The utility in this approach is that our hands on technical staff can focus on the metrics and management gets the answers they're after without getting bogged down in underlying detail (although they can certainly drill down as desired)."

For those controls that don't have pre-defined metrics, you would turn to a group such as the Center for Internet Security or the Metrics Center to develop metrics for you. You can find out more information about these groups in our Supporting Organizations section at the end of this guide. Because of the complicated nature of this method, we really do suggest that you start with the list of predefined metrics and work from there for at least the first or second set of metrics that you are introducing.