This topic explains how the risk metrics used by the system can be consolidated, from the most granular level to the highest level. First, the hierarchical structure governing objects must be explained so that you can understand how these consolidations move from lower to higher levels.
In the Organization module, there are two main ways to view the organizational structure: through perimeters or through business components. A business component can be either from the strategic or tactical level. Tactical business components support strategic business components, acting as intermediaries between the strategic business components and the assets. A strategic business component can be associated with various tactical business components and vice versa.
Similarly, a perimeter can group several assets (physically or logically), but an asset can only be located in one perimeter. Tactical business components can be associated with several assets, and a single asset can support various tactical business components.
Assets can be classified into types. In the system, there are four default types (person, process, technology, and environment). However, if these do not sufficiently categorize assets according to your organization's needs, additional asset types can be created in the Administration module. For details on creating custom asset types, see Chapter 17: Administration -> Customizations -> Object Types.
In addition, each asset can have several asset components, but an asset component can only belong to a single asset. Asset components are also classified into types, according to the asset they belong to.
The hierarchy of these objects is shown below (see figure below):
Although these objects are structured in the Organization module, they are also related to other objects in other system modules.
A knowledge base is the highest object in the hierarchy from the Knowledge module. It is essentially a list of controls, detailing good practices that will be verified during a risk management project. While a knowledge base contains several controls, a control only belongs to a single knowledge base. Within a knowledge base, controls can be organized into groupings. A control is also associated with one or more threats.
Information from both the Organization and Knowledge module is used to create a risk project in the Risk module. The asset component to be analyzed comes from the Organization module, and a knowledge base from the Knowledge module is used to create the questionnaire (see figure below).
Given this information, the tables below can be used for reference to understand the results shown in risk projects, reports, and queries. They explain how each type of risk metric is calculated for each type of object.
|
Object |
Controlled PSR |
Identified PSR |
Non-Applicable PSR |
|
control x |
PSR of the implemented control |
PSR of the non-implemented control |
PSR of the non-applicable control |
|
threat x
|
PSR sum of the implemented controls associated with the threat |
PSR sum of the implemented controls associated with the threat |
PSR sum of the non-implemented controls associated with the threat |
|
knowledge base x
|
PSR sum of the implemented controls from the questionnaire generated based on the knowledge base |
PSR sum of the non-implemented controls from the questionnaire generated based on the knowledge base |
PSR sum of the non-applicable controls from the questionnaire generated based on the knowledge base |
|
questionnaire x
|
PSR sum of the implemented controls from the questionnaire |
PSR sum of the non-implemented controls from the questionnaire |
PSR sum of the non-applicable controls from the questionnaire |
|
grouping x
|
PSR sum of the implemented controls from the grouping |
PSR sum of the non-implemented controls from the grouping |
PSR sum of the non-applicable controls from the grouping |
|
asset component x
|
PSR sum of the implemented controls from the questionnaire from the asset component |
PSR sum of the non-implemented controls from the questionnaire from the asset component |
PSR sum of the non-applicable controls from the questionnaire from the asset component |
|
asset x
|
PSR sum of the implemented controls from the asset component from the asset |
PSR sum of the non-implemented controls from the asset component from the asset |
PSR sum of the non-applicable controls from the asset component from the asset |
|
asset type x
|
PSR sum of the implemented controls for the asset type |
PSR sum of the non-implemented controls for the asset type |
PSR sum of the non-applicable controls for the asset type |
|
perimeter x
|
PSR sum of the implemented controls for the assets from the perimeter |
PSR sum of the non-implemented controls for the assets from the perimeter |
PSR sum of the non-applicable controls for the assets from the perimeter |
|
tactical business component x
|
PSR sum for the implemented controls from the assets associated with the tactical business component |
PSR sum for the non-implemented controls from the assets associated with the tactical business component |
PSR sum for the non-applicable controls from the assets associated with the tactical business component |
|
strategic business component x
|
PSR sum of the implemented controls for the assets associated with the strategic business component |
PSR sum for the non-implemented controls from the assets associated with the strategic business component
|
PSR sum for the non-applicable controls from the assets associated with the strategic business component |
|
Object |
Applicable PSR |
|
control x |
N/A |
|
threat x
|
Sum of the Identified PSR with the Controlled PSR of the controls associated with the threat |
|
knowledge base x
|
Sum of the Identified PSR with the Controlled PSR of the questionnaire associated with the knowledge base |
|
questionnaire x
|
Sum of the Identified PSR with the Controlled PSR of the questionnaire |
|
grouping x
|
Sum of the Identified PSR with the Controlled PSR of the grouping |
|
asset component x
|
Sum of the Identified PSR with the Controlled PSR of the questionnaire associated with the asset component |
|
asset x
|
Sum of the Identified PSR with the Controlled PSR of the asset component associated with the asset |
|
asset type x |
Sum of the Identified PSR with the Controlled PSR of the asset type |
|
perimeter x
|
Sum of the Identified PSR with the Controlled PSR of the assets from the perimeter |
|
tactical business component x
|
Sum of the Identified PSR with the Controlled PSR of the assets associated with the tactical business component |
|
strategic business component x
|
Sum of the Identified PSR with the Controlled PSR of the assets associated with the strategic business component |
|
Object |
Risk Index (x 100%) |
Security Index (x 100%) |
|
control x |
N/A |
N/A |
|
threat x
|
Identified PSR of the controls associated with the threat / PSR of the applicable controls associated with the threat |
Controlled PSR of the controls associated with the threat / PSR of the applicable controls associated with the threat |
|
knowledge base x |
Identified PSR of the knowledge base / PSR of the applicable controls from the knowledge base |
Controlled PSR of the knowledge base / PSR of the applicable controls from the knowledge base |
|
questionnaire x
|
Identified PSR of the questionnaire / PSR of the applicable controls from the questionnaire |
Controlled PSR of the questionnaire / PSR of the applicable controls from the questionnaire |
|
grouping x |
Identified PSR of the grouping / PSR of the applicable controls from the grouping |
Controlled PSR of the grouping / PSR of the applicable controls from the grouping |
|
asset component x |
Identified PSR of the questionnaire associated with the asset component / PSR of the applicable controls from the grouping |
Controlled PSR of the questionnaire associated with the asset component / PSR of the applicable controls from the grouping |
|
asset x |
Identified PSR of the questionnaire associated with the asset component / PSR of the applicable controls from the grouping |
Controlled PSR of the questionnaire associated with the asset component / PSR of the applicable controls from the grouping |
|
asset type x |
Identified PSR of the asset components associated with the asset type / PSR of the applicable controls from the asset components associated with the asset type |
Controlled PSR of the asset components associated with the asset type / PSR of the applicable controls from the asset components associated with the asset type |
|
perimeter x |
Identified PSR of the assets associated with the perimeter / PSR of the applicable controls from the assets associated with the perimeter |
Controlled PSR of the assets associated with the perimeter / PSR of the applicable controls from the assets associated with the perimeter |
|
tactical business component x |
Identified PSR of the assets associated with the tactical business component / PSR of the applicable controls from the assets associated with the tactical business component |
Controlled PSR of the assets associated with the tactical business component / PSR of the applicable controls from the assets associated with the tactical business component |
|
strategic business component x |
Identified PSR of the assets associated with the strategic business component / PSR of the applicable controls from the assets associated with the strategic business component |
Controlled PSR of the assets associated with the strategic business component / PSR of the applicable controls from the assets associated with the strategic business component |
|
Object |
Gap Index |
Control Index |
|
control x |
N/A |
N/A |
|
threat x |
Total non-implemented controls associated with the threat / Total applicable controls associated with the threat |
Total implemented controls associated with the threat / Total applicable controls associated with the threat |
|
knowledge base x |
Total non-implemented controls for the questionnaire from the knowledge base / Total applicable controls for the questionnaire from the knowledge base |
Total implemented controls for the questionnaire from the knowledge base / Total applicable controls for the questionnaire from the knowledge base |
|
questionnaire x
|
Total non-implemented controls for the questionnaire/ Total applicable controls for the questionnaire |
Total implemented controls for the questionnaire / Total applicable controls for the questionnaire |
|
grouping x |
Total non-implemented controls for the grouping / Total applicable controls for the grouping |
Total implemented controls for the grouping / Total applicable controls for the grouping |
|
asset component x |
Total non-implemented controls for the questionnaire associated with the asset component / Total applicable controls for the questionnaire associated with the asset component |
Total implemented controls for the questionnaire associated with the asset component / Total applicable controls for the questionnaire associated with the asset component |
|
asset x
|
Total non-implemented controls for the asset components associated with the asset / Total applicable controls for the asset components associated with the asset |
Total implemented controls for the asset components associated with the asset / Total applicable controls for the asset components associated with the asset |
|
asset type x
|
Total non-implemented controls for the asset components associated with the asset type / Total applicable controls for the asset components associated with the asset type |
Total implemented controls for the asset components associated with the asset type / Total applicable controls for the asset components associated with the asset type |
|
perimeter x
|
Total non-implemented controls for the assets from the perimeter / Total applicable controls for the assets from the perimeter |
Total implemented controls for the assets from the perimeter / Total applicable controls for the assets from the perimeter |
|
tactical business component x
|
Total non-implemented controls for the assets associated with the tactical business component / Total applicable controls for the assets associated with the tactical business component |
Total implemented controls for the assets associated with the tactical business component / Total applicable controls for the assets associated with the tactical business component |
|
strategic business component x
|
Total non-implemented controls for the assets associated with the strategic business component / Total applicable controls for the assets associated with the strategic business component |
Total implemented controls for the assets associated with the strategic business component / Total applicable controls for the assets associated with the strategic business component |