Measurement and Reporting

Measurement

Reporting

Earlier in the course, we discussed the importance of GRC in mitigating potential security breaches. Measuring the effectiveness of controls is a critical part of that equation. Many organizations have 100’s of security controls, and a single failure or misconfiguration can have a devastating impact.

This also means, however, that you must make decisions about how best to test controls given limited resources and limited time. While you should measure controls in function and in time, you must also consider factors that might limit your ability to test as comprehensively as you might like. Factors like your testing budget, the amount of time you have to test, organizational strategy, and the purpose of your test should all be taken into consideration when designing the appropriate test.

Control tests can be anything that you desire limited only by the considerations we mentioned above and the need to measure for the specific function and time required by the control you plan to assess. Keep in mind that as you assess security controls, there are certain benefits that should be produced for the organization. Control measurement should be performed in an effort to:

• Assess existing security tools
• Improve the organization’s security posture
• Meet certain compliance obligations

It’s important that you record each of your control measurement activities, the test performed, when the test was performed, and the outcome. You should also use control measurement documentation to meet with internal stakeholders to develop plans of action and milestones for remediation, assuming certain controls are not functioning as anticipated.