Asset based control assessments, while highly effective, are very labor and time intensive. CyMetric was originally designed as a tool to support asset based program management because it represented the best method to ensure optimal implementation of a security/compliance program. However, the need to support a "risk" based or more "environmental" approach to assessing programs was something our customers requested and CyMetric consequently needed to evolve to. CyMetric now allows users to apply a control assessment and any findings on commonly configured controls across all information systems (logical and physical) that utilize the same control. This new copy function applies to all of the data entry elements (methods/objects, assessment rating, assessment rationale, associated documents and findings) that are associated with the control. The new feature replaces the previous process of manual cutting and pasting content across information systems. Once copied, users can modify systems at an individual level in the event there are issues unique to that system. CyMetric users now have the option to assess their controls in a way that make sense for their risk profile, mission critical systems and their available human resource assets.
To get started, create an Assessment Plan for the obligation or security program needing to be evaluated. For detailed instructions on how to set up an Assessment Plan, please see the article Setting Up and Assessment/Audit of Your Compliance Program. CyMetric assembles all of the controls that are a part of the assessment.
Move forward by selecting a control that needs to be evaluated from the grid and begin filling in the appropriate fields. Specific instructions on how to document your control evaluation can be found in the article Executing an Assessment or Audit of your Compliance Program. Once you have finished with the data entry portion of the control assessment (methods/objects, control rating, rating rationale, linked documents and documented findings), click on the Save Edits button.
After saving the control assessment, users are returned to the Control page where the details of the saved assessment can be seen in its entirety. To apply the assessment to other systems that use the SAME CONTROL AND CONFIGURATION, click on the three dot ellipsis. Note that an additional option to Copy Assessment now appears in the available functions. Click on Copy Assessment to move forward with copying this control assessment to other systems.
The list of other systems that utilize the control are presented to the user for selection and application. Choose the systems that you would like to copy the control assessment to by individually selecting the systems, clicking on the column header check box or by clicking on the Apply to All Systems button at the bottom of the screen.
NOTE: The Apply to All button will only be active if the default filter (Not Started) is removed from the filter area. Also, if you apply the control assessment to a system that already has assessment data, THE EXISTING DATA WILL BE OVERWRITTEN BY THE COPY FUNCTION.
Users will be prompted to confirm the process and, if there are controls that will be overwritten, that information will be included in the warning.
OR
Upon confirmation, all of the data on the assessment will be copied to the selected systems. The status of the controls and the systems that now have copied information now reflects In Progress.
