search

adammontville / cis-controls-71-measures

0 stars 0 forks source link

Subcontrol 17.5 #33

Open adammontville opened 5 years ago

adammontville commented 5 years ago

Train workforce members on the importance of enabling and utilizing secure authentication.

Measures

c_i_j= # of correct answer for employee j in round i
TQ_i_j = # of total question for employee j in round i
n = # of total employee randomly picked
m = # of round
alpha = damping factor(more recent round will have higher weight) < 1

Metrics/KEI

TP Quality = ( SUM over j: 1 to n ( (SUM over i:0 to m-1 ( (c_i_j / TQ_i_j) * alpha^i ) ) / (SUM over i:0 to m-1 (alpha^i ) ) ) ) / n

What Aaron said. Seems not practically measurable at this point. That said, what if we took a measure like this to SANS and asked them to develop an API providing the data for a given organization?

wmunyan commented 5 years ago

Could we get some more explanation on the metrics formula as well as a description of the "damping factor"

apiperCIS commented 5 years ago

For Controls Team: UNCC asked what "enabling" means here. Why do employees need training on "enabling" secure authentication - isn't that a function of the enterprise to enable it and then the employees are trained on how to use the secure authentication methods that the organization enables?

apiperCIS commented 5 years ago

Inputs List of workforce members List of most recent completion date for this module of the security awareness training for each workforce member Required frequency of training (at least annually)

Operations For each workforce member in Input 1, check Input 2 to see if that workforce member's most recent completion date of this training module was within the time frame specified by Input 3 (if the workforce member is not listed in Input 2, assume the workforce member is not compliant). Generate a list of compliant workforce members (M1) and a list of non-compliant workforce members (M2).

Measures M1: List of workforce members who have completed this security awareness training module within the specified time frame (compliant list) M2: List of workforce members who have not completed this security awareness training module within the specified time frame (non-compliant list) M3: Number of workforce members in the compliant list (M1) M4: Number of workforce members in the non-compliant list (M2) M5: Total number of workforce members in Input 1

Metrics Coverage: M3 / M5

Note: A more advanced measure would involve comparing assessment scores over time to measure the effectiveness of this module. While such assessment scores could be from something as basic as a test at the end of the training module, it could also be more advanced check of the module's content as implemented in the organization over time.

apiperCIS commented 5 years ago

I left in the time factor in the above measurement proposal, even though the wording of the sub-control does not explicitly state it. I'm considering 17.3 as the primary security awareness training program and it does have a time factor, and then 17.5 - 17.9 are specific modules within that security awareness training program, so they effectively inherit the time factor from 17.3. If we like this approach, 17.6 - 17.9 could be simple cut/paste from this one. Thoughts?

adammontville commented 5 years ago

Inputs

Operations

Measures

Metrics