Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Subcontrol 17.6 #34

Open
adammontville opened this issue Apr 9, 2019 · 1 comment
Open

Subcontrol 17.6 #34

adammontville opened this issue Apr 9, 2019 · 1 comment
Labels
IG-1 Issue represents subcontrol that is part of Implementation Group 1
Projects
UNCC Collaboration

Comments

@adammontville
Copy link
Owner

adammontville commented Apr 9, 2019
edited by wmunyan
Loading

Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams and impersonation calls.

Measures

c_i_j = # of properly identified task by employee j in round i
TQ_i_j = # of toal task for employee j in round i
n = # of total employee randomly picked
m = # of round
alpha = damping factor(more recent round will have higer weight) < 1

Metrics/KEI

TP Quality = ( SUM over j: 1 to n ( (SUM over i:0 to m-1 ( (c_i_j / TQ_i_j) * alpha^i ) ) / (SUM over i:0 to m-1 (alpha^i ) ) ) ) / n

Related to each of these "training" pieces. Seems that this should inform v8.0.0 of the controls. What are the characteristics of a security awareness program? How well are employees doing year over year against those tests?
@adammontville adammontville created this issue from a note in UNCC Collaboration (CIS Under Review) Apr 9, 2019
This was referenced Apr 9, 2019
Open
Open
Open
@adammontville adammontville added the IG-1 Issue represents subcontrol that is part of Implementation Group 1 label Apr 16, 2019
@apiperCIS apiperCIS moved this from CIS In Progress to UNCC In progress in UNCC Collaboration Apr 25, 2019
@wmunyan wmunyan moved this from In progress to Not Started in UNCC Collaboration Jun 14, 2019
@adammontville
Copy link
Owner Author

Inputs

  • List of workforce members
  • List of most recent completion date for this module of the security awareness training for each workforce member
  • Required frequency of training (at least annually)

Operations

  • For each workforce member in Input 1, check Input 2 to see if that workforce member's most recent completion date of this training module was within the time frame specified by Input 3 (if the workforce member is not listed in Input 2, assume the workforce member is not compliant). Generate a list of compliant workforce members (M1) and a list of non-compliant workforce members (M2).

Measures

  • M1: List of workforce members who have completed this security awareness training module within the specified time frame (compliant list)
  • M2: List of workforce members who have not completed this security awareness training module within the specified time frame (non-compliant list)
  • M3: Number of workforce members in the compliant list (M1)
  • M4: Number of workforce members in the non-compliant list (M2)
  • M5: Total number of workforce members in Input 1

Metrics

  • Coverage: M3 / M5

@adammontville adammontville moved this from Not Started to Accepted in UNCC Collaboration Jun 25, 2019
@wmunyan wmunyan moved this from Accepted to Spec In Progress in UNCC Collaboration Jun 25, 2019
@wmunyan wmunyan moved this from Spec In Progress to Spec Ready for Review in UNCC Collaboration Jun 25, 2019
@adammontville adammontville self-assigned this Sep 20, 2019
@adammontville adammontville moved this from Draft Spec Published to SHIP IT! in UNCC Collaboration Sep 20, 2019
@adammontville adammontville removed their assignment Sep 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
IG-1 Issue represents subcontrol that is part of Implementation Group 1
Projects
UNCC Collaboration
SHIP IT!
Milestone
No milestone
Development

No branches or pull requests
1 participant
@adammontville