The risk score for this process is based on three factors, and uses three as its base:

• Coverage metric (=15% of the total score):
  • Assets management process (IT operations):
    • InfoSec tools require that the assets scanned are the ones that are official
    • Need proper credentials for scanning
  • Discovery scan process (InfoSec):
    • Finds potential rogue devices and shadow IT in assigned subnets
• Risk exposure metric (=50% of the total score):
  • IT risk communicates how it will weigh each risk level per control 
  • InfoSec teams will be evaluated on the frequency of the scans and the distribution of the reports
  • As the baseline is finite, each security configuration item is given a level of:
    • Category 5 (critical impact):
      • Number of cat 5 findings / total # cat 5 controls = 20% of the score
    • Category 4 (high impact):
      • Number of cat 4 findings / total # cat 4 controls = 15% of the score
    • Category 3 (medium impact):
      • Number of cat 3 findings/ total # cat 3 controls= 10% of the score
    • Category 2 (low impact):
      • Number of cat 3 findings / total # cat 3 controls = 5% of the score
• Remediation performance (=35% of the total score)
  • This measures the stakeholders (IT operations) in the speed in which they can reduce the risk by:
    • Requesting an exception and establishing a compensating control
    • Fixing the finding
  • Stakeholders were given a grace period from when the finding was first established:
    • Number of cat 4/5 overdue 30 days = 20% of the score:
      • Total # cat 4 and 5 overdue / total # cat 4 and 5 controls
    • Number of cat 3 overdue 60 days = 10% of the score:
      • Total # cat 3 overdue/ total # cat 3 controls 
    • Number of cat 2 overdue 90 days = 5% of the score:
      • Total # cat 2 overdue / total # cat 2 controls

By using an RAG metric from the preceding figure, the organization can begin looking at creating an analysis like the following: