Use this scoring model to assess your risk management activities in the DAI-IRSA surveys. The model is intended to assist you in identifying:

  • gaps in your information risk management practices
  • actions you can take to improve your information risk management program

  • This practice has not been implemented or we don’t know if it has been implemented for our division or unit.

    For quantifiable controls: requires 0-9% coverage.

  • This practice has been partially implemented in our division or unit, however major aspects of its implementation remain and there are significant outstanding issues identified in some combination of:

    • coverage across departments
    • coverage across information systems
    • defined processes and responsibilities
    • resources for staffing & budget
    • tools to automate or support effective management

    For quantifiable controls: requires 10-49% coverage.

  • This practice is mostly, but not fully implemented in our division or unit; minor, outstanding issues remain in some combination of:

    • coverage across departments
    • coverage across information systems
    • defined processes and responsibilities
    • resources for staffing & budget
    • tools to automate or support effective management

    For quantifiable controls: requires 50-74% coverage.

  • This practice is fully implemented across our division or unit, with no outstanding issues and evidence* to demonstrate:

    • coverage across departments
    • coverage across information systems
    • defined processes and responsibilities
    • resources for staffing & budget
    • tools to automate or support effective management

    For quantifiable controls: requires 75-100% coverage.

    *NOTE: It is not a requirement to provide evidence for a self-assessment; however, ensuring you have evidence and an understanding where you may have gaps will help you develop a resilient and comprehensive information risk management program. Evidence that may demonstrate effective management of a particular process will depend on the specific practice and the tools used.

    Examples:

    • Documented procedures
    • Reports and dashboards
    • Configuration files and system settings
    • Employee lists and job descriptions
    • Signed approvals or agreements
    • User or account lists and permission settings
    • Data and system asset inventories

  • The practice is fully implemented across our division or unit with no outstanding issues and the following additional process management practices:

    • Appropriately resourced for staffing and budgets
    • Tools are leveraged to provide metrics
    • Process(es) are regularly reviewed for effectiveness based on measurable objectives
    • Process(es) are updated and enhanced based on impact and effectiveness metrics

    NIST Special Publication 800-55: Performance Measurement Guide for Information Security

    This guide provides useful background, metrics and templates for key information security capabilities.

    For quantifiable controls: requires 75-100% coverage.

  • The question or the risk area is not applicable to our unit or division.

  • The risk area is managed by another unit in the University.

    See the related training video on the DAI-IRSA website here.