Possibility to have to several Measurements on a Control

[pep-un]

Hello,

It could be useful to be able to have several Measurements on a Control for example :

• some framework may have some wide Control you may have to do several Measurements to check if it's ok or not.
• Wide organization may have to split some the Measurement of a control between to teams (Windows/Linux for example).
• You may want to implement a simple control monthly and a full control yearly.
• Some organization (like Bank) MUST have two different and independent Measurement for the same Control.

I think in some case, we may manage it by breaking down the Control, but you may lose the coherence with your framework and add reporting complexity. In some case breaking down the Control may not work, and will really require a 1 Control to N Measurement scheme

[dbarzin]

I propose to add a field "scope" to measurements. A scope could be a physical site, a department, an application...
Reports could be generated by one specific scope or for all scopes.
When planning a control, the user has to specify the scope or let it bank if all scopes are concerned.

[dbarzin]

The field "scope" has been added.

[pep-un]

Wonderfull ! I will test as soon as possible !

[charlesgoyard]

Hi there, I'm getting started with Deming, which feels useful for tracking compliance!

My plan is to work on the MPA/TPN framework.

This framework has a lot of controls that include more than one measurement, so I find the possibility to be able to do this 1 control to N measurements natively very useful.

Example:

Control: TS2-6, Firewall Management

Measurements:
Establish and regularly review a policy and process for Firewall Management, to include the following:

1. Provisioning firewall users based off the Principle of Least Privilege (PoLP)
2. Change control requirements (e.g., patching, upgrades, firewall rule management, etc.)
3. Do not allow direct firewall management from the Internet or WAN
4. Firewall to have a subscription to anti-virus and intrusion detection updates
5. Configure to alert key security events

Maybe I did not understand how the scope field is helping.

[dbarzin]

Hello Charles,

Scopes are related to assets. For example, you have to perform physical controls on more than one site, you may want to split your measurement in several scopes : site 1, site 2...

In your example you may split your control in several other controls :
TS2-6.1 Firewall management - provisoning
TS2-6.2 Firewall management - change control
TS2-6.2 Firewall management - direct management
...

[charlesgoyard]

Thanks for answering.
Yes, splitting the controls is how I will do it for now.

I'm not much of a PHP developer, so I can't offer a patch 😢

[arnaud-lxbg]

In that case, sub controls make sense because it is a subdivision of the control.
But the way we measure it might require more than one test, e.g. "Change control requirements (e.g., patching, upgrades, firewall rule management, etc.)" means 1 measurement for patching/upgrade control (monthly?), another one for firewall rules management to monitor changes proposed in the CAB, another one for firewall rules management to review yearly the implemented ruleset...

And we see that the second measurement could also participate to the measurement of the control about change management.