In this article:
As a company or department goes through the steps of a security assessment, team members working on the assessment must decide on the current state of each domain, category, and practice. The different security models utilize different answer scales to indicate achieved compliance.
The assessment team members must find consensus, not complete agreement, when providing the answers. Remember to drill down when finding consensus and to provide notes as documentation as to why a particular answer was given, especially if there was initial disagreement. Discussion is encouraged to reach a consensus:
- How is the practice (subcategory) performed?
- Who performs it?
- Is it performed consistently throughout the organization, only in pockets, or overall very inconsistently?
|4-point answer scale||The organization’s performance of the practice described in the subcategory is …|
|Fully implemented||Complete. The practice is performed as described in the subcategory.|
|Largely implemented||Complete, but the practice is performed as described in the subcategory, with recognized improvement opportunities that are not material for achieving framework, organizational, or critical infrastructure objectives.|
|Partially implemented||Incomplete. The implementation of the practice, as described in the subcategory, is incomplete. There are recognized improvement opportunities for achieving framework, organizational, or critical infrastructure objectives.|
|Not implemented||Absent, the organization does not perform the practice.|
Each CSF subcategory has the same weight in the overall score. Answers are weighted: full credit is given to FI (Fully Implemented), 0.8 credit to LI (Largely Implemented), and 0.2 to PI (Partially Implemented). The max score is 1000. There are 108 subcategories. The final score shown on the dashboard is rounded. For the NIST CSF bar chart on the dashboard, 100% implementation credit is given for LI and FI, and 0% is given for NI and PI.
A group of original authors (who happened to be Axio employees) determined the relative weights of each C2M2 domain toward an overall score of 1000 points. In the overall score, incomplete MIL1 practices (NI or PI) are set to block implementation credit for related MIL2 practices at the objective level. Similarly, incomplete MIL2 practices (NI or PI) are set to block implementation credit for related MIL3 practices at the objective level. Additionally, answers are weighted: full credit is given to FI (Fully Implemented), 0.8 credit to LI (Largely Implemented), and 0.2 to PI (Partially Implemented).
The maximum score is 1000 points. The point values for each control were determined by analyzing big game hunting ransomware events in conjunction with Axio partners to prioritize controls.