For this part of the exercise we are taking a closer look at reports and how to review reports.
Reviewing Reports for an NIST CSF Assessment
Reviewing Reports for an NIST CSF Assessment
1. Navigate to the HOL – Demo NIST CSF – Demo Corp Evaluation Assessment (select the card, rather than the hyperlink to access Assessment details).
Selecting the assessment card
Category Summary:This report shows the overall % score of this assessment for each category (e.g., ID.AM), within each function (e.g., ID) in this NIST CSF assessment, with each function’s category bars color coded.
Assessment Score:These show an assessment from a past date, the current assessment, and a Target assessment. This is a great visual to show progress in each function (e.g., PR), and overall, since the last time you did an assessment, and progress against your target. Axio uses a scale of 1,000 so that even relatively small progress can be seen and reported more easily. Each function is color coded (e.g., DE is color coded yellow).
Upcoming Targets:This has action items and specific items from the NIST CSF assessment that are due based on target dates. Select the pop-out button to show Upcoming Targets on a separate page with more viewing space. The pop-out page view allows to see target dates specified for achieving different aspects of the NIST CSF assessment, and the target maturity level for each.Upcoming Targets page view
Benchmark Comparison:If you hover over each of the components of the bar-and-whisker charts shown under the Benchmark Comparison for each function of the NIST CSF assessment, you will see that they represent:a. The middle 25% to 75% of the benchmarked scores on the top line (others in your industry). b. The current score for this function (the blue dot) – in the middle row. c. The current target score for this function (the green dot) in the middle row. d. The current target range for this function in the bottom row.
Maturity Over Time:If you hover over the chart, you’ll notice a “?” icon, and if you click on that, you will get this explanation:Maturity Over Time explanation
- Action Items:
The Action Items list can also be viewed in pop-out page view mode to look at details and due dates.
Action Items page view with due date details
Reviewing Reports for a C2M2 Assessment
Since each assessment type measures security from different aspects, the charts shown for the C2M2 assessment are not all the same as those shown for the NIST CSF assessment. For this review we are using the HOL C2M2v2.1 – FS Client assessment report.
1. Navigate to the HOL C2M2v2.1 – FS Client (select the card, rather than the hyperlink to access Assessment details).
The CSF and the C2M2 assessments have the following charts in common:
Maturity Over Time
The report differences are the following:
MIL Completion by Domain:This chart shows the % of all practices at each MIL level that are either Fully Implemented, or Largely Implemented, by Domain. The span of each bar represents 0 to 100% complete for that specific MIL.
Note: The NIST CSF assessment refers to Functions, Categories, and Subcategories. The C2M2 v2.1 refers to the same as Domain, Objectives, and Practices.
The acronym MIL refers to Maturity Indicator Level and can span from 0-3.
Using the Aggregates Dashboard
Axio360 allows users to view a rollup of multiple assessments of the same type. This does not work across assessments of different types. This part of the exercise details how to use the Aggregates Dashboard.
1. To narrow down the list of assessments to just C2M2 Version 2.1, in the top right corner of you current screen, click the Filter icon.
List of Assessment filter
2. From the filter module, select C2M2 Version 2.1.
3. Click Apply filters.
4. From the left tools menu, select Aggregates Dashboard.
Target Values are green.
Actual Values are blue.
Assessment Summary:The Assessment Summary stacks the assessments against each other. Users can compare the scores of each to the other – with the blue values again, representing the actual values.
Domain Rollup:The Domain Rollup shows a series of box plots with the breakdown scores across each domain amongst the selected assessments. The scores represent at a high level, the points achieved per domain out of the total possible. The boxes and whiskers indicate the minimum, maximum, median, and interquartile ranges of the scores. This is helpful when trying to quickly look for cross organizational areas of weakness across multiple assessments in a single organization. For example, in the WM domain is particularly low across all 3 assessments as compared to the median across the industry (the whiskers show the min and max values, so comparing the values to the whiskers is the best way to measure how well a company is doing in a given domain) and may be a good area to focus on in this case.
Aggregate Wheels:The Highest Aggregate, Lowest Aggregate, and Mode Aggregate wheels represent the highest aggregate actual values (blue) of the assessments in the list, and the highest aggregate target values (green) of the assessments in the list, the lowest aggregate values and target values, and the Mode (number that occurs most frequently) aggregate values and target values across all categories of the C2M2 v2.1.
Responses Chart:The Responses chart shows one level deeper that the Domain Rollup but showing the different score levels not just by domain, but also by function and practices. So, a user can look for specific practices that need work across the organization. NI means Not Implemented so looking for that value, is a good way to find areas of weakness. In this case for example, click on NI to reorder results by Not Implemented, and order them from highest to lowest. This will show you the practices that have the highest %s in the organization that are not implemented.Not Implemented listIn this case, WM-2e, which corresponds to “Workforce Management – Cybersecurity awareness activities are tailored to job role” is an area that partially implemented across the organization based on the 2 assessments of this type that we have – hence the value “100” in the “PI(%)” column.To see trends across an organization, Axio recommends after looking at Not Implemented, to look at PI or partially implemented.