You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For the current controls we have a number of metrics defined. They are mostly unique to the control but I have noticed a pattern.
A number of controls in the Cloud Control Matrix (or any other security control matrix) require the organization to establish "policies and procedures" (TVM-01) where an additional control might mandate that the organization, "Define, implement and evaluate processes, procedures and technical measures to enable both scheduled and emergency responses to vulnerability identifications, based on the identified risk" (TVM-03).
A common process and procedure is to use technical measures to establish 'guardrails' that confirm a state to the system and then, automatically, generate a 'ticket' drive resolution of the issue within an SLA. Because this process is common among many possible guardrails for a variety of controls... it potentially worthwhile to establish a template metric.
Here are some examples of similar metrics in the current catalog:
AIS-07-M6 “Define and implement a process to remediate application security vulnerabilities, automating remediation when possible.”
Formula: (A/B)*100
Where:
A: Number of unaccepted critical or high vulnerabilities in production applications with an age greater than the policy defined maximum age
ID: nc_vuln_remediation_in_prod_apps
B: Total number of critical or high vulnerabilities in production applications within this period
ID: risky_vulns_in_prod_apps
GRC-04-M1 “Establish and follow an approved exception process as mandated by the governance program whenever a deviation from an established policy occurs.”
Formula: (A/B)*100
Where:
A: Number of active policy exceptions where the time to resolution is within the documented timeline for resolution, during the sampling period
B: Total number of active policy exceptions, during the sampling period
LOG-05-M1 “Monitor security audit logs to detect activity outside of typical or expected patterns. Establish and follow a defined process to review and take appropriate and timely actions on detected anomalies.”
Formula: (A/B)*100
Where:
A: Number of anomalies detected during the sampling period that were reviewed and resolved within a timeframe that is in compliance with Policy
B: Total number of anomalies detected during the sampling period
SEF-06-M1 “Define, implement and evaluate processes, procedures and technical measures supporting business processes to triage security-related events.”
Formula: (A/B)*100
Where:
A: Number of security events triaged within policy defined time limit, during the sampling period
B: Total number of security events Logged, during the sampling period
TVM-03-M1 “Define, implement and evaluate processes, procedures and technical measures to enable both scheduled and emergency responses to vulnerability identifications, based on the identified risk.”
Formula: (A/B)*100
Where:
A: Number of high and critical vulnerabilities identified during the sampling period and remediated within policy timeframes
B: Total Number of High and Critical Vulnerabilities identified during the sampling period
TVM-10-M1 “Establish, monitor and report metrics for vulnerability identification and remediation at defined intervals.”
Formula: (A/B)*100
Where:
A: Number of high and critical vulnerabilities identified for remediation within policy timeframes
B: Total Number of high and critical vulnerabilities identified or carried over into the sampling period
IF we decide a common template for this type of metric makes sense we should go through the catalog and make that metric available for each control group that requests the organization to implement a policy and procedure to [determining a problem] and [resolving the problem] within policy.
The text was updated successfully, but these errors were encountered:
For the current controls we have a number of metrics defined. They are mostly unique to the control but I have noticed a pattern.
A number of controls in the Cloud Control Matrix (or any other security control matrix) require the organization to establish "policies and procedures" (TVM-01) where an additional control might mandate that the organization, "Define, implement and evaluate processes, procedures and technical measures to enable both scheduled and emergency responses to vulnerability identifications, based on the identified risk" (TVM-03).
A common process and procedure is to use technical measures to establish 'guardrails' that confirm a state to the system and then, automatically, generate a 'ticket' drive resolution of the issue within an SLA. Because this process is common among many possible guardrails for a variety of controls... it potentially worthwhile to establish a template metric.
Here are some examples of similar metrics in the current catalog:
AIS-07-M6 “Define and implement a process to remediate application security vulnerabilities, automating remediation when possible.”
Formula: (A/B)*100
Where:
GRC-04-M1 “Establish and follow an approved exception process as mandated by the governance program whenever a deviation from an established policy occurs.”
Formula: (A/B)*100
Where:
LOG-05-M1 “Monitor security audit logs to detect activity outside of typical or expected patterns. Establish and follow a defined process to review and take appropriate and timely actions on detected anomalies.”
Formula: (A/B)*100
Where:
SEF-06-M1 “Define, implement and evaluate processes, procedures and technical measures supporting business processes to triage security-related events.”
Formula: (A/B)*100
Where:
TVM-03-M1 “Define, implement and evaluate processes, procedures and technical measures to enable both scheduled and emergency responses to vulnerability identifications, based on the identified risk.”
Formula: (A/B)*100
Where:
TVM-10-M1 “Establish, monitor and report metrics for vulnerability identification and remediation at defined intervals.”
Formula: (A/B)*100
Where:
IF we decide a common template for this type of metric makes sense we should go through the catalog and make that metric available for each control group that requests the organization to implement a policy and procedure to [determining a problem] and [resolving the problem] within policy.
The text was updated successfully, but these errors were encountered: