Metrics and Measurements for the CSA CCM
Release Date: 09/19/2021
A number of the controls in the most current version of the CSA’s Cloud Controls Matrix require that the organization develop and implement metrics. Also, if your organization is considering becoming STAR certified, using metrics is a core requirement of the certification. It is important to know how to construct good and valuable metrics. I will review the various standard approaches to constructing metrics and the three kinds of metrics that are useful for a security organization to track. I will explain how to construct metrics using Goal/Question/Metric and PRAGMATIC guidelines. With those in mind, I’ll then look at how to measure the completeness, success, and impact to your organization of implementing the controls in the Cloud Controls Matrix, and discuss how metrics will be used for continuous auditing by the STAR Program.