Once all the work to get the program defined and established has been completed, the challenge turns to implementation and ultimately, evaluating how well the program is implemented. Control Assessments allow assessors to evaluate and describe the effectiveness of a control as it applies to a specific information system within their organization. This may include adverse Findings and proposed remediation. Mature compliance programs take years to fully implement and are always shifting to reflect the dynamic needs of any organization. CyMetric facilitates the risk/gap analysis or control evaluation process by quickly assembling the processes, procedures and controls that need to be evaluated in order to determine where enterprise risk resides. CyMetric also enables organizations to document the evaluation providing executive management, compliance teams and technical service personnel reports that define the program along with where to focus efforts on risk mitigation.
Building an Assessment Plan
The process begins by defining what you need to evaluate and putting parameters around that evaluation. The National Institute of Standards and Technologies (NIST) has provided guidance on how to evaluate the controls and processes outputted by CyMetric to determine their effectiveness. The NIST guidance has been integrated into CyMetric for User definition and documentation.
Navigate to the Assessment module in the Auditing section of the CyMetric navigation area. If no assessments have been completed (i.e. first time into the module), no assessment plans are listed. To initiate building an Assessment Plan, click on the Create Plan icon from the top right corner of the screen.
Plan Type: Select the Compliance Objective option from the listed plan types. Click the Next button. Select By Compliance Objective.
Select Compliance Objective: From the list of available compliance objectives, select the compliance objective you would like to create an assessment plan for. Each assessment plan is constrained to one compliance objective. Select the appropriate option and click on the Next button.
Filters: CyMetric provides the opportunity to define or segment the assessment by specific parameters for the compliance objective selected. By filtering the assessment, Users can focus the workload to meet the organization’s resource issues or to focus the assessment on priority systems or controls. Select the appropriate filter based upon organization need.
No Filters: CyMetric will include all controls for all the information systems bound by the compliance objective selected. This will be the largest, most comprehensive assessment across all systems and all controls.
Control Priority Filters: NIST classifies each control with a priority level based upon their assessment of the relative importance of each control. In general, a P1 (Priority 1) control should be implemented before P2 and P3 controls. P0 controls have not been assigned a priority and their importance is situational/environmental in nature. In many cases, P2 or P3 controls are dependent upon P1 controls and therefore need to be implemented accordingly.
Only Priority 1 Controls in High Security Rating Information Systems: An Information system’s risk profile is determined by the type of data contained within it. When data elements are classified as low, moderate or high, it defines the risk profile of the systems’ that contain those data elements. An information system that contains high risk data elements is rated as a High Security Rating Information System. CyMetric correlates that automatically. Selecting this prioritization will pull the P1 controls as defined above for specific information systems that have been rated as High Security systems.
Information System: Organizations may want to perform an assessment on a single system or designated systems within their environment. Traditional CyMetric assessment plans assemble ALL the systems that have the same obligation or regulatory requirement into one assessment plan. CyMetric also enables users to assess only specified system or systems to be included in an assessment plan.
CyMetric will present all the Information Systems that have the selected obligation or framework chosen in the previous screen. Select the system or multiple systems from the list to include in your Assessment by checking the box next to the appropriate system(s). Click on the Add Systems button at the bottom when finished.
Configure Assessment Plan: Once the plan is defined after the filter selection, the assessment details need to be documented. Users provide a title for the assessment. The title should provide clarity on the assessment as well as any filters that may be applied to the assessment (e.g. NIST CSF Assessment - P1 Controls). The owner of the assessment needs to be defined. This can be an internal or external resource. Lastly, an estimated time for the assessment to be completed needs to be defined by clicking on the calendar icon. Click Next to continue.
Review Assessment Plan: Review the details of the assessment plan to be sure everything is appropriate. The details defined in the previous screen are displayed along with the total number of information systems, the total number of controls that need to be assessed, what information systems are included inthe assessment and the total number of controls that need to be assessed for each information system. Click on Confirm and Create Plan to finalize the Assessment Plan.
To learn how to execute and assessment plan, please see Executing an Assessment Plan.