The risk score for this process is based on three factors, and uses three as its base:
- Coverage metric (=15% of the total score):
- Assets management process (IT operations):
- InfoSec tools require that the assets scanned are the ones that are official
- Need proper credentials for scanning
- Discovery scan process (InfoSec):
- Finds potential rogue devices and shadow IT in assigned subnets
- Assets management process (IT operations):
- Risk exposure metric (=50% of the total score):
- IT risk communicates how it will weigh each risk level per control
- InfoSec teams will be evaluated on the frequency of the scans and the distribution of the reports
- As the baseline is finite, each security configuration item is given a level of:
- Category 5 (critical impact):
- Number of cat 5 findings / total # cat 5 controls = 20% of the score
- Category 4 (high impact):
- Number of cat 4 findings / total # cat 4 controls = 15% of the score
- Category 3 (medium impact):
- Number of cat 3 findings/ total # cat 3 controls= 10% of the score
- Category 2 (low impact):
- Number of cat 3 findings / total # cat 3 controls = 5% of the score
- Category 5 (critical impact):
- Remediation performance (=35% of the total score)
- This measures the stakeholders (IT operations) in the speed in which they can reduce the risk by:
- Requesting an exception and establishing a compensating control
- Fixing the finding
- Stakeholders were given a grace period from when the finding was first established:
- Number of cat 4/5 overdue 30 days = 20% of the score:
- Total # cat 4 and 5 overdue / total # cat 4 and 5 controls
- Number of cat 3 overdue 60 days = 10% of the score:
- Total # cat 3 overdue/ total # cat 3 controls
- Number of cat 2 overdue 90 days = 5% of the score:
- Total # cat 2 overdue / total # cat 2 controls
- Number of cat 4/5 overdue 30 days = 20% of the score:
- This measures the stakeholders (IT operations) in the speed in which they can reduce the risk by:
By using an RAG metric from the preceding figure, the organization can begin looking at creating an analysis like the following: