During the past few years, we've been strategizing, controlling, and managing threats and vulnerabilities. In many cases, management has spent money based on our assertions about regulatory requirements and potential harm to our employees and customers. Assertions supported by media reports of data breaches and their aftermath. Now, however, executive managers (translate as signers of the checks) are beginning to ask questions, like what am I getting for my money? Why should I buy an additional control or replace an existing one? What did I get for my money, and how do all the controls serve to protect information assets? Why are there still gaps?
These are reasonable questions, questions asked of other departments when asking for dollars in the budget. So how does a security manager provide a picture of how all the pieces fit together? How does he or she assess, manage, and report on what’s been done, gaps, and steps to eliminate unnecessary control redundancy? I use a controls matrix.
The Controls Matrix
I haven't completely deserted the venerable network diagram when discussing controls with management. However, network diagrams don’t provide enough detailed information about how the various layers work together. It's hard to see and demonstrate coverage, gaps, and unnecessary redundancy. This is where the controls matrix adds value.
A controls matrix, as shown in Figure 1, allows a security manager to describe intended security strategy outcomes and how they’re met, or not met, by existing or proposed controls. In this example, the controls are listed down the left column with administrative, physical, and technical controls represented by columns. The aggregate column is your team's assessment of how well the controls meet control feature requirements overall.
Figure 1: Controls Matrix
A controls matrix template, in Excel 2007 format, is available for download. It contains suggestions for controls and control feature requirements you'll want to modify to represent your environment.
Using the matrix
The first step is extraction of required control features from the enterprise security strategy. (If you don’t have a strategy, it's time to create one.) These are listed in the first column. Next, identify the controls you already have in place, giving each its own column. Now you're ready to start filling in the blanks.
Start with the first control. Step down the column assessing whether the control meets the strategy-defined control features of each of the items listed in the first column. There are four possible results when assessing fit. Because color-coded presentations seem to work best, I assigned colors to each, as follows:
- Completely meets control feature requirements -- Green
- Partially meets control feature requirements -- Yellow
- Partially or completely meets control feature requirements, but not configured to do so -- Pink
- Does not meet any of the control feature requirements -- no shading
A complete row shaded red indicates no controls meet any requirements for the expected strategic outcome.
Once you complete all the columns, move to assessing the rows. The colors you inserted during each control assessment now show the extent to which you’re previous efforts have succeeded it reaching all strategy outcomes.
In some cases, two or more controls might provide partial protection, but together they meet all control feature requirements. In other situations, multiple controls might provide complete protection. One or more of these redundant controls might be eligible for retirement if other controls provide sufficient coverage. This process only works if members of the assessment team have a thorough knowledge of each of the controls. This is a good time to make sure subject matter experts exist, and they are ensuring optimal use of each control. In other words, they're ensuring maximum business value is realized.
When each row is assessed, the aggregate column contains flags for next steps. Any cell shaded with anything other than green indicates a gap. And as we saw earlier, rows with multiple greens might indicate unnecessary redundancy.
Before taking your matrix to management to ask for budget dollars to fill gaps, make sure you have taken steps to optimize previous spends. Eliminate unnecessary controls and be prepared to discuss these steps with management. Understand how remaining controls are optimized and what gaps are actually control weaknesses, not configuration misses.
Use the matrix as the details component of a security network diagram presentation. Once management understands that you've made every effort to maximize previous dollars spent, and that the gaps you’ve identified are not due to sloppy configuration management, you have a much better chance of convincing them that the right controls are identified and obtaining dollars in next year's budget. But budget isn't the only reason a controls matrix project is a good idea.
Our teams can easily fall into the trap of implementing "spot" solutions when a weakness is identified. This often results in a collection of partially configured controls with each addressing a specific threat or vulnerability. The controls matrix exercise is a good way to step back and make sense of what you’ve done over the past three or four years, strengthening the security controls foundation before moving forward.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.