Use this scoring model to assess your risk management activities in the DAI-IRSA surveys. The model is intended to assist you in identifying:
- gaps in your information risk management practices
- actions you can take to improve your information risk management program
-
This practice has not been implemented or we don’t know if it has been implemented for our division or unit.
For quantifiable controls: requires 0-9% coverage.
-
This practice has been partially implemented in our division or unit, however major aspects of its implementation remain and there are significant outstanding issues identified in some combination of:
- coverage across departments
- coverage across information systems
- defined processes and responsibilities
- resources for staffing & budget
- tools to automate or support effective management
For quantifiable controls: requires 10-49% coverage.
-
This practice is mostly, but not fully implemented in our division or unit; minor, outstanding issues remain in some combination of:
- coverage across departments
- coverage across information systems
- defined processes and responsibilities
- resources for staffing & budget
- tools to automate or support effective management
For quantifiable controls: requires 50-74% coverage.
-
This practice is fully implemented across our division or unit, with no outstanding issues and evidence* to demonstrate:
- coverage across departments
- coverage across information systems
- defined processes and responsibilities
- resources for staffing & budget
- tools to automate or support effective management
For quantifiable controls: requires 75-100% coverage.
*NOTE: It is not a requirement to provide evidence for a self-assessment; however, ensuring you have evidence and an understanding where you may have gaps will help you develop a resilient and comprehensive information risk management program. Evidence that may demonstrate effective management of a particular process will depend on the specific practice and the tools used.
Examples:
- Documented procedures
- Reports and dashboards
- Configuration files and system settings
- Employee lists and job descriptions
- Signed approvals or agreements
- User or account lists and permission settings
- Data and system asset inventories
-
The practice is fully implemented across our division or unit with no outstanding issues and the following additional process management practices:
- Appropriately resourced for staffing and budgets
- Tools are leveraged to provide metrics
- Process(es) are regularly reviewed for effectiveness based on measurable objectives
- Process(es) are updated and enhanced based on impact and effectiveness metrics
NIST Special Publication 800-55: Performance Measurement Guide for Information Security
This guide provides useful background, metrics and templates for key information security capabilities.
For quantifiable controls: requires 75-100% coverage.
-
The question or the risk area is not applicable to our unit or division.
-
The risk area is managed by another unit in the University.
See the related training video on the DAI-IRSA website here.