Does your organization allow individuals to create their own estimates of impact and scope for security assessments or risk evaluations?
Explanation
Consistency in how impact and scope are sized is the concern here, specifically whether individuals are allowed to produce their own estimates for assessments without standardized guidance or oversight. Allowing individuals to create their own estimates can lead to inconsistent risk assessments, subjective prioritization, and potentially overlooked security concerns due to varying expertise levels and perspectives.
Evidence of compliance could include documented risk assessment methodologies, templates with standardized impact and scope criteria, peer review processes for estimates, or governance procedures that require validation of individual estimates by security teams or committees.
Implementation Example
A person creates their own estimates of impact and scope
ID: DE.AE-04.298
Context
- Function
- DE: DETECT
- Category
- DE.AE: Adverse Event Analysis
- Sub-Category
- The estimated impact and scope of adverse events are understood
Related questions
- Has your organization established and maintained a baseline of network operations and expected data flows for users and systems?
- Does your organization use SIEM or similar tools to continuously monitor log events for malicious and suspicious activity?
- Does your organization integrate current cyber threat intelligence feeds into your log analysis and monitoring tools?
- Does your organization conduct regular manual reviews of log events for systems that cannot be adequately monitored through automated means?
- Does your organization utilize log analysis tools to generate actionable reports from log data?
- Does your organization centralize log data by continuously transferring logs from multiple sources to a consolidated set of log servers?

