Measurement

A layered approach to measurements provides a lower cost, continuous assessment. As a part of the measurement process, controls correlated with auditors, engineers, analysts and management provide input into the Enterprise Security Profile Model (ESPM).

A security profile is derived from the measurements of the operational activities where the security controls are implemented. When there is data that connects an enterprise score to a specific performance of a security control, executives are able to answer the questions of “What is the security profile score for the the organization?”

An understanding of the security controls at the operational level enables management to recognize the greatest areas of weakness and strengths. "Vulnerabilities at Tier 3 can be described in terms of the information technologies employed within organizational information systems, the environments in which those systems operate, and/or the lack of or weaknesses in system-specific security controls" (NIST 800-30). The measurement result shows which security controls can be implemented or modified to reduce risk.

Measurements in the model are layered to provide an accurate depiction of the security profile. When an external auditor evaluates an environment, their sampling of the environment is included as an ESPM input. An Analyst may review a specific system within an environment and add to the ESPM. Additionally, Internal Audit completes an evaluation with a different perspective. Measurements of the security controls that are implemented in a scoped environment are input into the model. This layered approach contributes to the overall security profile score.

Organizations have many security control sets that are required for a proper security program or due to regulatory requirements. The ESPM consolidates security control sets into a security control catalog for the organization utilizing the NIST Cyber Security Framework as the central hub. It is within this control catalog which the organization maps the many control sets to a central identifier.
Initially, measurements are conducted in the simplest method possible. This enables the assessment activities to be part of the regular operational performance of duties within the environment. Assessments will increasingly become more mature with the use of advanced risk management methods beginning from FIPS 199 & 200, BRAAT, NIST RMF, FRAAP, and progressing to FAIR, OCTAVE, COBIT and others.

The ESPM  relies upon multiple assessments to establish a security profile of the entire organization. The layered analysis and assessment inputs provide an output of a security profile. An appropriate scenario is third-party vendor security reviews. Each vendor may submit different answers to a Standardized Information Gathering (SIG) request. The SIG reports are also layered and show the cumulative security profile of the vendors which interact with the organization. One of the scoped “environments” may be the evaluation of third-party vendors. It may also be an internal segmented network, or the line-of-business evaluating the customer user interface of a web application to the infrastructure database holding customer data.

Each measurement in the ESPM is an important component to build a quantifiable security profile score.