With an Assessment Plan built, the next step is to execute the assessment. This is potentially a great deal of work but essential in understanding the effectiveness of the data privacy and data security program. CyMetric compiles all of the activities that need to be completed and enables organizations to define the mechanisms and depth of the assessment. Each control for each information system needs to be evaluated to determine how well the process, procedure or technical control functions. Evaluation mechanisms and criteria can vary year to year or whatever frequency assessments are executed. The performance of these controls needs to be documented so organizations understand how their program is performing and where their enterprise risks lie. This information is tracked and stored within CyMetric for reference and reporting. Assessments typically take weeks or months to complete and all documentation stored in CyMetric can be edited or modified until the Assessment Plan is officially closed. The Assessment process can be executed and managed by internal and/or external (third-party vendor) resources.
Select the appropriate Assessment Plan from the list of available plans. More than one plan may be listed. To select an Assessment Plan, click on the caret (>) on the line corresponding to the appropriate plan.
Control Assessment Details: Details of the control assessment appear on the screen. Upon entering for the first time, the information boxes are not filled in nor are control ratings and rationales defined. These elements will be filled in as controls are being evaluated and assessed. Definitions of the fields and elements on the screen are below.
Assessment Methods: A focused activity or action employed by an Assessor for evaluating a particular issuer control. These activities or actions take the form of examinations, interviews or specific control testing to obtain evidence during an assessment.
Assessment Objects: The item (specifications, mechanisms, activities, individuals) upon which an assessment method is applied during an assessment. These items can have security defects which are the reason for the assessment.
Overall Rating: A score that reflects how well a control has been implemented. Based upon the review of the control by the Assessor, the control will be rated as Fully Compliant, Mostly Compliant, Partially Compliant, Somewhat Compliant, and Not Compliant. For those controls that either are not implemented or will not be assessed, a Not Assessed option is also available.
Overall Rating Rationale: Provides definition and detail to describe why the overall rating was chosen along with any other pertinent information regarding the control or the assessment process.
Associated Documents: Documents that provide clarity on the control, the assessment process for the control or other information that supports the rationale or rating for the control can be identified via this field. Note that you cannot at this time upload documents to CyMetric, but you can specify a link to where the document stored on your own system or environment.
At the bottom of the screen, additional supporting information is provided for assessment clarity and definition. Clicking on any of these options expands the details for your review.
Findings: Any adverse findings or discoveries that have been identified through the assessment process. These findings generally need to be remediated with timelines associated with the relative seriousness of the issue. It is possible that a control can have multiple findings. Each finding will be displayed individually in a tabular motif.
Specification: Guidance that specifies, in a complete, precise, verifiable manner, the requirements, design, behavior, or other characteristics of a system or component and often the procedures for determining whether these provisions have been satisfied. NIST has provided explicit definitions as to how security controls should be evaluated. Those definitions are provided by CyMetric in this area.
Control Details: Communicates the details of each control as well as information about how the Control is configured by your organization. These details will include the specific variables Users defined for each information system.
Define/Edit Control Assessment Details: This function allows you to define what and how you are going to evaluate the control.Click on the three dot Options ellipsis icon from the top right corner of the screen. Click on the Edit Assessment option. The fields become active for input and definition.
Define Assessment Methods and Objects: Use the pull down to define the methods and objects required to evaluate this control. Most controls will have multiple options available for selection. It is highly likely that each control will have multiple methods and objects selected for the assessment. Simply click on each method or object that is applicable for this particular assessment on this particular information system. When completed, click anywhere on the screen outside of the pull down area.
Assessment objects identify the specific items being assessed and include specifications, mechanisms, activities, and individuals. Specifications are the document-based artifacts (e.g., policies, procedures, plans, system security and privacy requirements, functional specifications, architectural designs) associated with an information system. Mechanisms are the specific hardware, software, or firmware safeguards and countermeasures employed within an information system. Activities are the specific protection-related actions supporting an information system that involve people.
Assessment methods define the nature of the assessor actions and include examine, interview, and test. The examine method is the process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). The purpose of the examine method is to facilitate assessor understanding, achieve clarification, or obtain evidence. The interview
method is the process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. The test method is the process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.
Overall Rating: The Overall Rating is the value assigned to the control as defined by the auditor’s assessment. The rating specifies how compliant the control is with the Methods and Objects designed for this control assessment. The value can be changed/edited as supplemental information is provided regarding the control or the depth of the assessment evolves. For those controls that either are not implemented or will not be assessed, select the Not Assessed option and define why it is not being implemented or not being assessed in the Overall Rating Rationale section.
NOTE: The ability to edit the control assessment will lock once the control assessment is marked as Complete.
Overall Rating Rationale: This free form text field enables Users to document why a control was identified as being rated a specific way. The field provides an audit trail for executives or future auditors to understand the mindset of whoever audited this control. There is no limit to the text you can enter in this field. Even though you may not see all of the content on the entry screen, it will be present when the screen is saved as well as for reports.
PRO TIP: To expand the viewing area of the free form text box, click and drag the two diagonal lines in the bottom right corner of the text field down.
Add Document: CyMetric enables organizations to link documents that support the control assessment or the procedures that were followed to assess the control. Click on the Add Document button. Add the title of the document and then include the file location where it can be found. When finished, click on the Submit Document button.
NOTE: CyMetric is not a document repository so the documents WILL NOT RESIDE WITHIN CYMETRIC. However, if the user has rights to the location where the document is stored, clicking on the link will direct the user to that location.
Add Finding: If during the assessment, the auditor discovers a problem with the implementation of the control that requires the organization to remediate the issue, a Finding is documented and associated with the control. The purpose of the finding is to create an audit trail that defines the issue, the severity/risk that the issue poses to the organization, a remediation plan and a timeline to complete the remediation. Click on the Add Finding button to get started.
Assessment Objective: Defines the concept or objective that was not met during the assessment. For some controls, the list of objectives can be significant. This field enables Users to define what specifically was found to be out of compliance or severe enough to warrant a finding.
Discovered During: Defines how or where in the process the defect or issue was found: Interview, Examine, or Test.
Severity Rating: Defines the risk the defect in the control represents to the organization. Each organization may define risk differently but generally, organizations will weigh the severity of business impact and the probability of the identified risk to occur to determine overall risk.
Details and Severity Rating Rationale: This free form text field enables Users to document why a finding was identified as being rated a specific way. The field provides an audit trail to understand the mindset of whoever audited this control and determined that a finding was warranted. There is no limit to the text you can enter in this field. Even though you may not see all of the content on the entry screen, it will be present when the screen is saved as well as for reports.
Proposed Remediation: Defines what should be done to fix or resolve the issue found in the Assessment. Remediation can take the form of improved processes, technical solutions or other functions that can reduce or eradicate a risk.
Proposed Close Date: Defines a timeline to resolve or fix the Finding. Findings with higher severity should be prioritized accordingly.
Add Document: CyMetric enables organizations to link documents that support the Control Assessment Finding. These could take the form of interview notes, procedural documents that need to be revised, technical or log outputs that support the Finding. Click on the Add Document button. Add the title of the document and then include the file location where it can be found. When finished, click on the Submit Document button.
Save Control Edits: When all fields are properly filled in, text fields have proper content to reflect the disposition of the control, any Findings are documented and all elements completed, click on the Save Edits button to submit the Assessment.
NOTE: Until the Control Assessment is formally closed, Users can come back and edit this Control Assessment at any time to make changes to the content, add more documents etc. Once the control is formally closed, the Assessment is no longer editable.
Edit Assessment: Review the Control Assessment with all parameters defined and visible. If you see any edits that need to be made, click on the three dot Options ellipsis icon from the top right corner of the screen. Click on the Edit Assessment option. The fields become active for editing.
Navigate back to the main Assessment Plan page to initiate another control assessment or to see the status of all the controls. To do this, click on the “breadcrumbs” from the top of the page.
Controls are designated as In Progress or Not Started until they are formally closed which is reflected in a Completed designation.
Close Assessment: When the Control Assessment for this Information System is completed, you will need to close the assessment. To do so, click on the three dot Options ellipsis icon from the top right corner of the screen and select Close Assessment. This will lock the Control Assessment and prevent any further edits to it. Confirm you want to close the Control Assessment by clicking on the Confirm button on the dialog box. The Control Assessment will be marked as Completed when you return to the Assessment Plan screen.
To fully execute an Assessment Plan, the above process must be repeated for the identified controls and Information Systems outlined in the Plan. When all of the controls have been evaluated for all of the identified Information Systems, the entire Assessment Plan can be closed.
Closing an Assessment Plan
The heavy lifting of executing an Assessment Plan culminates in closing the plan out. By closing the Assessment Plan, all controls that need to be assessed (or identified/defined as not being currently implemented) must have documentation that identifies that status. The controls identified in the Assessment Plan all need to have a status of In Progress or Completed before you can close out the Assessment Plan.
From the main Assessment Plan landing page, click on the Assessment Plan you want to close out. The Assessment Plan displays a status of In Progress. Click on the caret (>) on the line of the Assessment Plan you want to close out.
When the status of all the controls that comprise the plan are marked as Completed or In Progress, the Mark as Complete icon in the top right corner of the page becomes active. Click on the Mark as Complete icon to close out the Assessment Plan.
After pressing the Mark as Complete button, a jump screen appears asking you to confirm your intent. Please note that all Control Assessments that are currently flagged as In Progress are converted to Completed and the Assessment Plan becomes Read Only. The screen provides warnings on what happens by confirming the process. Please be sure to read the warnings as the Mark as Complete process CANNOT BE REVERSED. Click on the Confirm – Mark as Complete button to execute the close process.
The Assessment Plan status is converted to Completed and the icon at the top right corner reflects that the Assessment Plan is closed.
The next step in the process is to generate a report that presents all thge data from your assessment. To learn how to do that, please see the article Generate an Assessment Plan Report.