In this video, Kip Boyle looks at the final step in information discovery— collecting scores. Learn how to generate measurements from cybersecurity systems.
- If you have cyber security systems in place, you can generate scores from the data those systems produce. You might want to do this to supplement the scores you collect from your experts. Whether this approach can take the place of gathering scores from your experts will depend on the specific controls you're measuring. Let's walk through an example of how we can use system reports to generate scores using the zero through 10 scale. Here's a control from the NIST Cybersecurity Framework. You can see from its unique ID that it's the 12th control under the information protection, processes and procedures activity, which is located in the protect function.
How well does your organization implement an effective vulnerability management strategy? There are many components of a vulnerability management strategy, including, written policies and allocated budgets, qualified people who are assigned and trained to do the work, processors and procedures that are written and need to be consistently followed, and multiple technologies for assessing and then neutralizing found vulnerabilities. For example, you could generate scores from these metrics, the percentage of servers fully patched within 30 days of patch release.
Or the percentage of desktops fully patched within 30 days of patch release. Or the percentage of networks scanned for vulnerabilities every 30 days. In each case you gather metrics for the previous six months, average them into a single percentage, and then convert over to the zero through 10 scale. Here's one way to do it. In this example I'm assuming these are highly critical systems being served by an otherwise effective vulnerability management system. You can see that any percentage greater than 98 means a risk score of eight.
Which means you've achieved optimal security. And any percentage less than 85 is a zero score. Because for this organization, the risk of compromise exceeds the organization's tolerance. Depending on your situation, you many want to assign a value between zero and five. Once you have the score, you can average it into the scores from your experts. And then calculate a simple average for all the scores for that control.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance