Development and operations a practical guide
Three-tiered categorization
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- Tiered Matrix Category Rating
- Author’s Thoughts
| Three-tiered categorization Chris Crowley has proposed a simple yet highly effective concept for categorization using only three tiers. While this tiered structure was intended to be applied to security operations, it can be applied to virtually any concept. A benefit to this model is the categories focus on the ability to mitigate rather than risk. By nature, this provides an actionable plan to implement improvements. Let's review and understand this concept by starting with the tier categories. Each tier is defined based on the relative ease of applying a mitigation to the observation or finding. Tiered Matrix Category Rating 1 The correction is readily available in the environment but has not been implemented or applied. 2 The correction or mitigation is readily available in the environment or public, but something such as policy, procedure, politics, contracts, training, etc. prevents implementation or application. 3 The correction or mitigation is not readily available in any industry or sector. Research or additional effort is required to investigate to determine a correction or mitigation plan. Example Diagram Summarizing Categories Example snippet from a report showing how to use category rating Author’s Thoughts Very few things should be labeled 3. There’s almost always an acceptable mitigation/workaround. Many will likely be labeled 2. This should because for policy or process change and could be used to justify additional training. Anything labeled 1 should be of great concern to the organization, division, or management. Often indicates alack of effort. It is important to note that this method of categorization requires open and effective communication between the Red Team and the organization. Internal Red Teams may have the organizational knowledge and experience required to categorize their observations. However, as most Red Teams (internal or external) are not typically part of the business function being assessed, require a collaborative review and discussion of each observation. During Red Team reporting, this method can be used in conjunction with the Pyramid of Pain to illustrate how a specific correction impacts a threat's ability to perform nefarious actions. This knowledge can, in turn, be leveraged to create a prioritization of corrections or organizational modifications. Download 4.62 Mb. Share with your friends:
|