From: NIST Information Technology Laboratory Bulletin for February 2017
***
Recovery Metrics
Throughout the process of planning, exercising, and executing recovery activities, the collection of specific metrics may help to improve recovery and inform continuous improvement. Determining these metrics in advance may be beneficial, both to understand what should be measured and to implement data collection processes. This process requires the ability to determine where those identified metrics can be most beneficial to the recovery activity and to identify which activities cannot be measured in an accurate and repeatable way. It is important to note that restoring business functions remains the primary task at hand; the collection of recovery metrics can be designed in a way such that data is a natural output of recovery activities. Metrics can be detrimental if they hinder the recovery process, cause a rushed/incomplete investigation, or create additional obstacles for recovery team efficiency. It is critical to ensure that metrics provide useful information that supports actionable improvement without being harmful to recovery.
NIST SP 800-184 states that the majority of recovery metrics will be used to improve the quality of the organization’s recovery actions. Recovery metrics might, for example, help to improve specific recovery aspects or be used to perform a cost/benefit analysis of a particular approach. Other metrics might be used as part of compulsory reporting (such as in response to an inquiry from an external authority) or for information sharing. In each case, determining in advance what will be measured and which measures may be shared will aid the organization’s recovery efforts. Sharing metrics with others must be done with caution and should occur only with the approval of appropriate organizational stakeholders, including senior managers, legal representatives, and regulatory compliance personnel.
Leave a Reply