In this video, Kip Boyle introduces the concept of target scores for information security controls. Learn how to set target scores for each control in their information risk management framework.
- For each control you want to measure, you'll need to set a target score. This score represents how well the organization needs to be able to perform the control in order to meet its information security goals. The target score will be used later to calculate gaps based on the measurements you collect. You'll want the targets to be somewhere in the green zone. Let's review the choices. Five is the minimum target where you can expect the control to work reliably with minor flaws or occasional rework. Six and seven are midpoints where the control is easier to operate and more reliable.
Eight is optimal where the control is barely noticed by users and can be expected to be reliable and effective over long periods of time unless your threats become more lethal. So as you can see, the higher the target, the better the control. But higher numbers also mean greater time and money will be needed to achieve the score and then maintain it. Also, depending on the changes your organization experiences both internally and externally, your actual score may drop over time, so please realize hitting your targets once doesn't mean you'll stay there forever.
For example, dealing with malicious code has been getting tougher over time. A few years ago, if all your computers ran highly rated antivirus software that was always up to date, you probably would score a seven or an eight, but as time went on, and the need to regularly apply security patches became just as important as conducting antivirus scans, your score would eventually drop below a five unless you started doing patching too. Based on how you scoped your measurements, you can set your target scores on the individual control level or by grouping the controls into categories or by line of business or by the geographical location of your offices or you could set a single target score across the board.
Let's walk through an example. Here's an excerpt from the NIST cybersecurity framework. You can see there are three levels of controls from left to right, functions, activities, and outcomes. Inside the recover function, that's an activity called improvements, and below that are two controls, RC.IM-1 and two. Keep in mind in this framework there are five functions, 22 activities, and 98 outcomes. In my experience, it's too tedious and time consuming to set targets at the outcome level.
In contrast, you don't get a lot of choices by staying at the function level. There are two useful paths. Either set the same target score for all outcomes or set targets at the activity level. However you choose to do it, enter your target scores into your spreadsheet. You can expect to spend two hours over two days to set target scores. It's a good idea to involve your key stakeholders when you set the targets. At a minimum, make sure you involve your boss, so you have their support.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance