Control Self Assessment
The way control self assessment is being done at our client's organization is like below.
1. On every assessment year HIGH critical business applications are selected for control self assessment. Same is the case with Devices, Facilities as well.
2. Each asset has three types of controls - Common controls, applications specific controls, hybrid controls.
3. And each asset would be having multiple controls.
4. Control owners are supposed to answer the questions pertaining to their controls for that asset.
5. on the basis of response risk rating is calculated.
My issue -
1. Let's say the client has two data centers. DC1 and DC2. 5 physical security controls are in place for both the DCs.And this scenario would be translated on Archer like this - 5 Control Procedure records, 2 Facility Records(DC1 and DC2) . 5 control procedure records will be tagged to both the records in Facility (DC1 and DC2).
Now CSA happens on DC1, let's say CP 1(first controls) failed and rest (CP2, 3 4 and 5) got passed. So one finding will be generated and as per the calculation, CP1 will be NON Compliant. As of now CSA for DC2 hasn't been started. But as CP1 is common for both the facilities, when the DC2 manager opens the facilty record, he would see Control Procedure 1 being non compliant. But this is true for DC1.
bottom line is, when controls (controls procedures) are common for multiple assets and control self assessment is done, then how can we show control failing pr passing per asset basis?
2. Client wants control owners to answer the questions on the assessment. In real life one asset would be tagged to multiple control procedure records. And multiple owners would come to picture. How can an assessment be triggered to the those many control owners?
- Community Thread
- Forum Thread
- RSA Archer
- RSA Archer Suite
The way we do it is non compliance/ Risks of Assets is calculated by findings (and other parameters -> Threats, Vul etc etc). So when the question of the compliance of the procedure CP1 is asked for DC1 through a questionnaire targeting DC1, a finding would be attached to DC1 (and CP1).
When the question of compliance is asked for DC2, no findings would be raised (tagged to) DC2.
So, in effect:
CP1 -> 1 Finding -> Not fully compliant (because of DC1)
DC1 -> 1 Findings -> Not fully Compliant (finding due to CP1)
DC2 -> 0 Finding -> No compliance issue due to CP1
Findings can be used to manipulate the calculation of Risk.
I think the work involved is linking the questions and the associated procedures. If the inbuilt questions from Archer (which are already linked) is sufficient, nothing like it.
Basically, for this scenario, you would have one questionnaire for CP1, and two targets DC1 and DC2. Both can be answered by the same owner.
I hope this at least partially answers what you were asking.
How about adding Control Procedures per asset?
CP1.1 -> DC1
CP1.2 -> DC2
CP2.1 -> DC1
CP2.2 -> DC2
I think that's how we're going to handle this situation. Does anyone see any major problems with this approach and if so, any other suggestions?