Designing Measurement

Besides acting as a conduit between the organization and security, governance professionals play an important role in measuring the effectiveness of operational security controls. They measure whether controls are functioning as expected. Governance does not concern itself initially with how the control came to be --- meaning what risk management decision or compliance requirement the control is intended to address. Governance does concern itself with the intended function of the control and whether the control meets that intent.

This is done by examining the control in function and in time. All controls have an intended function and an intended time with which they operate. It could be that controls are intended to operate constantly, but it could be that controls are intended to operate at specific intervals. Take, for instance, a firewall. The firewall may be performing a number of intended functions, but let’s look at one function. Perhaps the firewall is meant to block any inbound other than traffic on port 443. The time element isn’t specified, so we’ll assume it is intended to always operate in the prescribed manner. The function is that it blocks traffic over port 443. What if the firewall allowed traffic on ports 443 and 8080? It might meet our time element but fails the test of function.
This is how governance professionals should measure control effectiveness. Discover the control’s intended function and time and test to ensure that the control operates in that way.