In Phase D, you identify the controls that are applicable to the scope of the assessment, determine the extent of the implementation of the control, and understand the strength of the controls that are in place to protect against the in-scope threat events.
Stage D1/3 – Control Implementation
Stage D1/3 is an assessment to determine the effectiveness and extent to which controls are implemented.
To begin, select from the Control Library the controls relevant to the scope of this assessment using the Import from Form functionality to populate this form. If desired, import all using the check box in the top left most corner of the selection window. With the populated control list, assess the Implementation Rating for how well implemented throughout the organisation (or at least the scope which your assessment covers). Provide a rationale for why this rating was chosen and upload any evidence to support this rationale.
|1||Control ID||This is a reference field to the controls as defined in the Control Library.|
|2||Control||This is a description of the control, which is auto-populated when the control ID is chosen.|
This is a drop-down field where you can select how often this control is implemented. The possible selections are the following:
|4||Implementation Rationale||This is a free text field where you can input the reasoning behind the level of implementation the control has.|
|5||Reference to Evidence Documents||This is an evidence field where you can add links to documents which evidence the implementation of the control.|
Stage D4 – Control Mapping and Strength
Stage D4 involves determining the control strength associated with each combination of threat event and impacted component(s). Control strength is the assessment of the aggregate relevance of the control, and their extent of implementation. When assessing the control library, it is more important for fully relevant controls to be implemented as well, for a bigger impact on threat events, rather than less relevant controls to be fully implemented.
To complete this stage, pull through all items into this stage using the Import from Form. Be sure to import all using the check box in the top left most corner of the selection window. With the populated list of Threat Events, review the applicable controls (via the TEC) and the resultant Calculated Control Strength. Add additional controls if required and apply a moderated control strength if the result is still not as desired. A rationale for this override may also be provided.
|1||Threat Event ID||This is a reference field where you can select a threat event from C Summary: Asset Threat Event Map.|
|2||Threat Details||These are the threat and threat event details, as defined in C Summary: Asset Threat Event Map.|
|3||Control Reference||This is a pop-up field, where the details of all controls chosen for the threat event within the Threat Event Catalogue (TEC), are available for viewing.|
|4||Additional Controls||This is a multi-reference field where additional controls can be selected from the Stage D1/3 – Control Implementation form.|
|5||Calculated Control Strength||This is the calculated strength of the controls against the threat event, which is automatically calculated based on the controls chosen.|
|6||Moderated Control Strength||
This is a drop-down field where you can change the strength of the controls on the threat event – the possible options are as follows:
|7||Control Strength Rationale||This is a free text field where you input the rationale for the moderated strength of the control chosen.|