A layered approach to measurements provides a lower cost, continuous assessment. As a part of the measurement process, controls correlated with auditors, engineers, analysts and management provide input into the Enterprise Security Profile Model (ESPM). A security profile is derived from the measurements of the operational activities where the security controls are implemented. When there is data that connects an enterprise score to a specific performance of a security control, executives are able to answer the questions of “What is the security profile score for the the organization?” An understanding of the security controls at the operational level enables management to recognize the greatest areas of weakness and strengths. "Vulnerabilities at Tier 3 can be described in terms of the information technologies employed within organizational information systems, the environments in which those systems operate, and/or the lack of or weaknesses in system-specific security controls" (NIST 800-30). The measurement result shows which security controls can be implemented or modified to reduce risk. Measurements in the model are layered to provide an accurate depiction of the security profile. When an external auditor evaluates an environment, their sampling of the environment is included as an ESPM input. An Analyst may review a specific system within an environment and add to the ESPM. Additionally, Internal Audit completes an evaluation with a different perspective. Measurements of the security controls that are implemented in a scoped environment are input into the model. This layered approach contributes to the overall security profile score. Organizations have many security control sets that are required for a proper security program or due to regulatory requirements. The ESPM consolidates security control sets into a security control catalog for the organization utilizing the NIST Cyber Security Framework as the central hub. It is within this control catalog which the organization maps the many control sets to a central identifier. | Initially, measurements are conducted in the simplest method possible. This
enables the assessment activities to be part of the regular operational
performance of duties within the environment. Assessments will
increasingly become more mature with the use of advanced risk management
methods beginning from FIPS 199 & 200, BRAAT, NIST RMF, FRAAP,
and progressing to FAIR, OCTAVE, COBIT and others. |