Enabling Enterprise Resilience through Security Automation ...

| 16 |(3) Need Measured, Phased ApproachMeasure, Monitor, andReprioritize Practices(Especially for Visibility,Understanding, and Control)■ To assess effectiveness ofSCRM policy, it is necessary toidentify measurable outcomes ofSCRM, as well as the level ofimplementation■ Measurement framework wouldserve as a foundation forunderstanding and improvingSCRM practicesExample OutcomesRisk UnderstandingConfidence in the quality of risk-related dataAbility to use risk estimates in investmentdecisionsAbility to identify significant new risksAbility to assess protection levels against newlyidentified threatsAbility to effectively prioritize gaps forremediationInteragency PartnerEngagementAbility to describe risks to senior businessleadersAbility to persuade interagency partners tomake decisions based on risk infomrationClear understanding of who holds responsibilityfor addressing control gapsInteragency partners understand theirresponsibilities in managing riskInteragency partners understand risk dataInteragency partners actively manage and closerisks independentlyInteragency partners willingly and formallyaccept residual risksExample Levels of ImplementationDegree ofImplementationMaturity ofProcess• Level 1: None• Level 2: 1 – 25%• Level 3: 26-50%• Level 4: 51-75%• Level 5: 76-100%ContractingFirm knowledge of the controls portfolio inplace at major contractorsAbility to describe the risk landscape of majorcontractorsContractors understand requirements necessaryto comply with regulationsContractors have confidence in ability to satisfyregulatory requirements and address gapsContractors have confidence that informationon configurations of controls is current andaccurateContractors have the ability to anticipate newregulations and requirements• Level 1: Focus only on known risks• Level 2: Focus on emerging risks on an ad-hoc basis• Level 3: Maintain a comprehensive list of risks that are consistently addressed• Level 4: Defined processes of identifying, defining, and incorporating emerging risks• Level 5: Monitor and optimize process for incorporating emerging risksIntensity ofApplication• Level 1: Little understanding of mission• Level 2: Basic understanding of mission• Level 3: Strong understanding of mission, but not priorities and strategic direction• Level 4: Strong understanding of mission with some sense of strategic direction• Level 5: Strong and broad understanding of process and well-developed sense of strategic goals