
119
Chapter 9
Metrics for Monitoring
*
Sandy Bacik
A security policy architecture document should not be written unless it applies to protecting an
enterprise asset and unless executive management is willing to enforce it. Another thing to remem-
ber is as a security policy architecture document is written, how is it going to be monitored and
enforced? erefore, what specific items or activities can be monitored that are documented within
the security policy architecture document. e details from the security policy architecture docu-
ments are what the enterprise can use to develop and document security metrics or the return on
security investments ...