What is the Diri Control Matrix?
The Diri control matrix (DCM) is an innovation unique to our software. In short, the DCM is a security control visualization tool that allows for in-depth analysis of how well the system security is managed. The DCM is populated using the data from the risk assessment and the treatment plan. The matrix is clickable and allows for drill-down. The control matrix adds significant transparency to your security evaluation. It will enable you to audit systems and organizations like never before. You can find it in your risk assessment dashboard, below the registration and assessment process.
A DCM summary illustrating number of controls per class and implementation status.
The control matrix shows how security controls are categorised and their implementation status. The security control categorisations are tightly coupled with the best practice and divide controls into three types and four classes. The DCM shows four types of information:
- X-axis: Control classification according to established best practice classification based on the Cyber security framework.
- Identify is a treatment class for developing the organisational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect and maintain is a class for safeguarding and supporting delivery of critical infrastructure services and asset protection (primarily probability reducing measures)
- Detect are treatments for identifying the occurrence of a cybersecurity event.
- Respond and recover are treatments for developing and implementing the appropriate activities for detecting cybersecurity incidents. And for developing and maintaining resilience plans and restoring any capabilities or services that were impaired due to a cybersecurity incident.
- Y-axis (expanded): Treatment types are categorised within the following three categories in Diri
- Physical controls are barriers in the physical domain, such as door locks, card readers, and fences.
- Technical controls are the technological barriers often associated with cybersecurity, such as firewalls, network monitoring, and encryption.
- Administrative controls are security policies, guidelines, routines, and organisational security measures.
- Uncategorised: Both DCM axis has an uncategorised option that groups treatments that have not been assigned a class or type.
- The numbers inside each square are a binary representation of the total number of defined treatments (denominator) and how many have been implemented (numerator).
- The Pie chart circling the numbers in the squares details the treatment implementation status.
Analysis in the DCM
The summary is the first DCM view in the Risk Assessment Dashboard is illustrated above. Studying the figure, we can already obtain helpful information about the risk assessed object: Firstly, the Ø means that the square does not contain any data. There is defined one control to Identify, but no controls are implemented or planned in this class. Only 6/31 protection measures are in place (green in the pie chart). However, several are planned (orange) and ongoing (yellow). Only one Detection measure is in place, while one is planned and another proposed. We interpret the Handle and recover results in the same way. In summary, we see that 8/41 measures are in place for this system.
We can expand the DCM to view more information about the treatments. At first glance, the fully expanded DCM contains a lot of information. However, it is a handy tool to identify gaps in the control chain:
A fully expanded DCM.
An interpretation and analysis of the DCM illustrated above:
All the treatments in the example have been categorised, such that the Uncategorised squares are empty. Starting with the Identify class, we can see that we have one administrative security control. However, to be fair, we know that they are already using Diri for risk assessments. Diri is categorised as an Identifying control. We can add that as a technical control and an administrative routine for use in the risk assessment.
The Protect and maintain class has 31 defined controls, but only 6 are implemented. The need for physical controls and security is location and hosting dependent. Self-hosted systems need to be secured at the appropriate level. The service provider will often fulfil the physical security requirements for a cloud-based application. Still, they should be written down as part of the contract.
Technical security controls are typically associated with cybersecurity. However, some technical controls require Administrative control, such as a routine for appropriate use. A typical example of this association is to have plenty of technical detection controls in place, such as logging and monitoring, but no administrative control to routinely do log analysis.
We can click on a square in the DRM to drill down: