In this article:
Security Assessment Scoring
As a company or department goes through the steps of a security assessment, team members working on the assessment must decide on the current state of each domain, category, and practice. The different security models utilize different answer scales to indicate achieved compliance.
The assessment team members must find consensus, not complete agreement when providing the answers. Remember to drill down when finding consensus and to provide notes as documentation as to why a particular answer was given, especially if there was initial disagreement. Discussion is encouraged to reach a consensus:
- How is the practice (subcategory) performed?
- Who performs it?
- Is it performed consistently throughout the organization, only in pockets, or overall very inconsistently?
Answer Scale Interpretation
4-point answer scale | The organization’s performance of the practice described in the subcategory is … |
---|---|
Fully implemented | Complete. The practice is performed as described in the subcategory. |
Largely implemented | Complete, but the practice is performed as described in the subcategory, with recognized improvement opportunities that are not material for achieving framework, organizational, or critical infrastructure objectives. |
Partially implemented | Incomplete. The implementation of the practice, as described in the subcategory, is incomplete. There are recognized improvement opportunities for achieving framework, organizational, or critical infrastructure objectives. |
Not implemented | Absent, the organization does not perform the practice. |
CRI Profile
CRI Scale
-
v1.2: Each Diagnostic Statement has the same weight in the overall score. Answers are not weighted and full credit is given to all versions of “Yes” (including Yes-Compensating Controls Used and Yes-Risk-based). No credit is given for “Partial” or any version of “No” (N/A, I Don’t Know, Not Tested).
The max score is 1000, with 277 Diagnostic Statements, each Statement is worth about 3.61 points. The final score shown on the dashboard is rounded after aggregation (avoids rounding errors from rounding at each level).
-
v2.0: Same as v1.2, except that with 318 Diagnostic Statements, each Statement is worth about 3.145 points.
CMMI Scale
Each Diagnostic Statement has the same weight in the overall score, 1 point max per Statement, with a total max score of 277. For each statement, score credit is given as follows:
- Optimizing 1
- Quantitatively Managed 0.8
- Defined 0.6
- Managed 0.4
- Initial 0.2
- Incomplete 0
CRI with CMMI scale is only supported for v1.2. The update to v2.0 is expected later this year.
NIST CSF
Each CSF subcategory has the same weight in the overall score. Answers are weighted: full credit is given to FI (Fully Implemented), 0.8 credit to LI (Largely Implemented), and 0.2 to PI (Partially Implemented). The max score is 1000. There are 108 subcategories. The final score shown on the dashboard is rounded. For the NIST CSF bar chart on the dashboard, 100% implementation credit is given for LI and FI, and 0% is given for NI and PI.
C2M2
A group of original authors (who happened to be Axio employees) determined the relative weights of each C2M2 domain toward an overall score of 1000 points. In the overall score, incomplete MIL1 practices (NI or PI) are set to block implementation credit for related MIL2 practices at the objective level. Similarly, incomplete MIL2 practices (NI or PI) are set to block implementation credit for related MIL3 practices at the objective level. Additionally, answers are weighted: full credit is given to FI (Fully Implemented), 0.8 credit to LI (Largely Implemented), and 0.2 to PI (Partially Implemented).
Ransomware Assessment
The maximum score is 1000 points. The point values for each control were determined by analyzing big game hunting ransomware events in conjunction with Axio partners to prioritize controls.
Partial Credit
Partial credit is available on all assessment models. Users can use the partial credit button when, for example, action items have been completed without meeting the next implementation level. The partial credit indicates progress towards compliance or the next maturity level. Refer to Applying Partial Credit.