Use this scoring model to assess your risk management activities in the DAI-IRSA surveys. The model is intended to assist you in identifying:

  • gaps in your information risk management practices
  • actions you can take to improve your information risk management program

This practice has not been implemented or we don’t know if it has been implemented for our division or unit.

For quantifiable controls: requires 0-9% coverage.

This practice has been partially implemented in our division or unit, however major aspects of its implementation remain and there are significant outstanding issues identified in some combination of:

  • coverage across departments
  • coverage across information systems
  • defined processes and responsibilities
  • resources for staffing & budget
  • tools to automate or support effective management

For quantifiable controls: requires 10-49% coverage.

This practice is mostly, but not fully implemented in our division or unit; minor, outstanding issues remain in some combination of:

  • coverage across departments
  • coverage across information systems
  • defined processes and responsibilities
  • resources for staffing & budget
  • tools to automate or support effective management

For quantifiable controls: requires 50-74% coverage.

This practice is fully implemented across our division or unit, with no outstanding issues and evidence* to demonstrate:

  • coverage across departments
  • coverage across information systems
  • defined processes and responsibilities
  • resources for staffing & budget
  • tools to automate or support effective management

For quantifiable controls: requires 75-100% coverage.

*NOTE: It is not a requirement to provide evidence for a self-assessment; however, ensuring you have evidence and an understanding where you may have gaps will help you develop a resilient and comprehensive information risk management program. Evidence that may demonstrate effective management of a particular process will depend on the specific practice and the tools used.

Examples:

  • Documented procedures
  • Reports and dashboards
  • Configuration files and system settings
  • Employee lists and job descriptions
  • Signed approvals or agreements
  • User or account lists and permission settings
  • Data and system asset inventories

The practice is fully implemented across our division or unit with no outstanding issues and the following additional process management practices:

  • Appropriately resourced for staffing and budgets
  • Tools are leveraged to provide metrics
  • Process(es) are regularly reviewed for effectiveness based on measurable objectives
  • Process(es) are updated and enhanced based on impact and effectiveness metrics

NIST Special Publication 800-55: Performance Measurement Guide for Information Security

This guide provides useful background, metrics and templates for key information security capabilities.

For quantifiable controls: requires 75-100% coverage.

The question or the risk area is not applicable to our unit or division.

The risk area is managed by another unit in the University.

See the related training video on the DAI-IRSA website here.