IA Excellence: A History of Risk Scoring


Description: Seal. - State Dept Image


From Chief Information Officer Steven C. Taylor


Here are several updated documents that describe the risk scoring program of the State Department with new information since May 2010. These documents are unclassified and can be shared with whoever would benefit in your organization or among your business partners.

Core Briefing

The first briefing includes information on enterprise implementation of continuous monitoring at the State Department in the second 12 months. See also the last attachment in the list for the latest on implementation of Continuous C&A in the last 8 slides which corresponds to the concepts plus frequently asked questions reference in section (#4) below.

Single Page Summary

The next Word document attachment is a one-page summary we share with the Office of Management and Budget and external audiences as an executive summary.

Formulas, Scoring Methods, and Compensating for Information Overload

In the first Word document a 25-page scoring guide shows the formulas used in the dashboard. For example, each risk score for vulnerabilities is cubed and divided by 100 to accentuate the 8, 9, and 10 scores for earliest attention. This technique also avoids the methodological weakness of adding two vulnerabilities scores with the value of "4" together and comparing the combination to one vulnerability with the value of "8" according to the NIST CVSS/National Vulnerability Database schema. A by-product of this technique is a remedy to the phenomenon of information overload studied in pilots who experience diminished decision-making capacity when attempting to absorb poorly design cockpit instrumentation data during combat. Risk scoring is designed to deliver up worst problems first for correction, which contributes to increased efficiency and constructive results for cyber security technicians.

Risk Scoring Software: Logic and Source Code

If you would like a run time version of the State Department software notwithstanding its limitations let us know and send a surface e-mail address to Judy Burke. You will receive an application you can load on a personal computer with i) rudimentary simulation of many risk scoring application screens; ii) information on table structure and iii) lists of data elements which may provide some additional information on setting up continuous monitoring in your organization. This version was created for organizations with substantial investments outside of the Microsoft architecture. Source code is available if you should request it, which would have logic that could be directly applied if SMS/SCCM, Active Directory, or McAfee Foundstone were available. Despite design limitations a functioning dashboard has been set up and operated in three weeks by a capable software team.

Limits of State Department GOTS Risk Scoring Software

Some organizations consider adapting original State Department risk scoring to their own organizations as originally written or adapting the software logic that grew over six years supported by one person under contract. If this is the case for your organization, please note the narrative in the final Word attachment. Narrative in this file describes the constraints in this software that would have been done differently had more time and development staff been available since the beginning in 2003.

Attacks Mapped to Progress in the Implementation of Tools

The second presentation highlights how the State Department is being attacked against the 20 Most Critical Controls or Consensus Audit Guidelines. The first 15 of the 20 controls shown in this graphic can be assessed by automated verification in security tools available on the market.

This chart provides information on the status of implementation at the State Department in color-coding. Dark green indicates where the State Department is conducting continuous monitoring with daily recalculation of risk scores by site and in some cases for application systems. Light green indicates we collect data but that data is not yet automatically integrated and presented in the risk score manager where low scores like golf indicate less risk from attack via known vulnerabilities and configuration weaknesses. Yellow bands indicate too many tools with data we do not trust and red indicates the circumstance where no tool is currently available but plans are in the works.

More information on the 20 Most Critical Controls can be found at the SANS website.

Continuous Certification and Accreditation

For federal IT security purposes the final two presentation packages explain the National Institute of Standards and Technology NIST 800-37 compliant pilot implementation for "continuous certification and accreditation" proposed for the State Department in the 3rd and 4th quarter of FY2010. In the last file, you will find Frequently Asked Questions that will be used to respond to questions about compliance of this new paradigm for continuous monitoring with federal policy. We believe these files will be beneficial for your government related work directly and will parallel your Sarbanes-Oxley, SEC reporting and the kinds of activities common for your external auditing. This document explains how to finance continuous monitoring by redirecting security compliance efforts while likely increasing the ROI of continuous monitoring more generally. These documents are part of an effort to design security control testing into the earliest phases of the system development life cycle and continue these disciplines as long as the system is operating.

Online Training for Risk Scoring

We have training documents in the form of frequently asked questions in Microsoft SharePoint that we have found very helpful in low cost high impact implementation of continuous monitoring. These are available on request. We are aiming toward a website where these can be viewed interactively, but we are a number of months away from that objective.

Daily Awareness Training

Last, we have the Tips of the Day cyber security awareness program. A number of Cabinet Departments and agencies are piloting this product, and a handful are making plans for wider implementation. The source code of Tips of the Day will be available at a later date.