This article allows you to understand the various compliance scores of measures as well as the difference between a private/offered measures.
Table of Contents
3. Compliance Scores
a) Declarative Score
b) Coverage Score
c) Measured Score and Performance
1. What is a measure?
Software, processes, teams that secure a perimeter. It is the central element of Tenacy linking objects together.
The measure can be:
- Operated: already in place in your organization
- Under construction: does not exist in your organization, and you need to implement it
2. Private/Offered measures
a) Private measures
For a chosen policy, each perimeter will have:
- Its own measure (derived from the same proposed measure)
- Its own recurring tasks
- Collect its own metrics
In the example below, Lyon and Lille will each operate their measure, collect their recurring tasks and metrics independently.
b) Offered measures
Offered measures, centrally measure
For a chosen policy:
- Only one measure is created for multiple perimeters
- One of the perimeters is responsible for operating it for itself (or not) and the others
- Only one metric will be collected for different perimeters
🔎 It is entirely possible for a perimeter to offer the operated measure to other perimeters without operating it for itself.
In the example below, Lyon will be responsible for operating the measure, collecting recurring tasks and metrics for itself and the Lille perimeter.
Offered measure and locally measured
Nuance on the offered measure, it is also possible to choose to collect metrics locally for each perimeter.
Taking the previous example, the "Collect metrics for each perimeter" box is checked, so metrics will be collected for each of the 2 perimeters.
🔎 For collection, either each perimeter collects on its own, or Lyon can still be responsible for collecting both metrics.
c) Create a Private or Offered Device
Via the Catalog
⚙️ Cogwheel > Catalog > Device > "Operate" a device
You can then find your operated device in the security base.
Via the "Policies" tab
- Policies > Chosen policy > Display in coverage score > Select the control to which the measure applies.
- "Add a measure to the control" >
"Operate" the measure and select whether it is private or offered.
The measure is already operated privately, and I want it to be offered
From the Policies tab: Chosen Policy > Display in coverage score > Select the controlto which the measure applies.
- "Add a measure to the control" >
"Consume" - Choose the measure > Choose the consuming perimeter.
From the security base: Select the measure > Edit > Uncheck the "private" box > Add consuming perimeters in the "consumers" tab.
3. Compliance Scores
For the compliance part, three scores can be displayed for perimeters or policies (declarative, coverage, measured), corresponding to increasing levels of detail and confidence.
a) Declarative Score
Declarative scores come from evaluations performed directly on policies. For a perimeter to have a declarative score, it must be associated with a policy and at least one evaluation must be performed for this perimeter on this policy (the score of the last evaluation is used).
💡 The score depends on the response of your evaluation and the scale used.
On the example below, if I take my maturity scale, my score will be 0, 25, 50, 75, or 100. On the compliance scale, my score will be 0 (non-compliant response) or 100 (compliant response).
🔎 To learn more about evaluations, you can read this article.
b) Coverage Score
Coverage scores are based on the security bases of perimeters (set of consumed measures) and the associations between measures and security controls.
They indicate to what extent the measures in place cover the requirements of the policies associated with the perimeters. It is the theoretical coverage defined in your policy.
💡 The coverage of a policy control has 3 scenarios:
First scenario:
You need to have both measure to cover 100% of the control.
Second scenario:
In this example, you have the choice of measures to put in place to cover this rule.
Third scenario:
A single measure allows you to be 100% compliant.
You can see the coverage score of your measures in the Policies tab > click on the policy > View "Coverage".
🔎 Update of 10/09/2023: For the coverage score, you now have the option to take into account the efficiency of the measure.
If you want to use the efficiency of the measure in the coverage score, the setting is at the cogwheel ⚙️ > Preferences.
Search with the keyword "Coverage".
- True = Efficiency of the measure is taken into account
- False = Efficiency of the measure is not taken into account
🔔 Feel free to write to us in the chat to perform the manipulation.
c) Measured Score
Measured scores will take into account the performance of your measure.
What does the performance score consist of?
The performance score is calculated only on your operated measures. This allows you to attest to the performance of your measures based on:
- Performance indicators related to the measures
- Completion (or not) of recurring tasks associated with the measure, over the last 12 months.
This is then called operational performance score.
🔎 Activity indicators like "PHI.I03 - Number of clicks (Phishing)" will be linked to measures but will not be considered in the performance score calculation.
⚠️ Warning, the operational score is only part of the performance score. Performance also takes into account the efficiency of the measure. A measure with an operational performance of 100% will have a reduced performance score if its efficiency is not 100%. The score is weighted by the efficiency of the measure.
Conceptual diagram of calculating measure performance
Example with a measure with 100% efficiency on measure 4.7 of CIS Control V8
Example with a measure with 80% efficiency on measure 4.8 of CIS Control V8
⚠️ Measures without controls (recurring tasks and indicators) will have an "operational performance" value applied of 75% for the calculation.
Example:
- 4.8 CIS V8 = 75
- 4.7 CIS V8 = 37.5 rounded to 38.
This default value can be modified in preferences: measure.default_performance