Entity Implementation at granular levels
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-23-2023 01:54 AM
I would like to understand how people are using controls down to the server and application level.
Our controls are set at the Enterprise level. So for example, our Vulnerability Remediation control is set to the actual process.
How are people dropping the controls down to server level or application level without being overwhelmed by the number of entities. I would estimate 30k+
I am thinking common controls or indicators at this point, but would welcome feedback on how others have done it.
Thanks in advance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2023 09:33 AM
Hi David,
If you are an enterprise class customer, you are very likely not going to be able to have controls at the server level, you will simply be overwhelmed, unless that server is extremely important and should have its own controls.
Server: Better to look at controls for that server class for example e.g. Unix Server, or at the parent Application or Service/Offering to which this server is linked.
Applications: You probably should have less Apps than servers and I would also suggest that you use the dotwalked prioritisation to choose those apps that are most significant to the business via the service criticality.
Testing artefacts:
- Use common, vanilla, Control Attestations to minimise design work for more populous targets
- Use Key Control Indicator/templates (with as vanilla a design as possible, while still delivering desired outcomes, so can be reused)
Key takeaways are
- be realistic about the amount of work items you're generating
- Prioritise well
- Only use KCIs where you have to
hth
r
------------
Please mark my post as helpful/correct if it is so, in order to help others.
