Adequacy of Existing Controls
The ‘adequacy’ score is intended to provide an insight into the operational effectiveness of existing systems to manage security risks. This assessment does not however, audit the individual controls in detail, other than to identify presenting security weaknesses.
Existing controls are considered in terms of the following 3 parameters to develop a qualitative assessment of their adequacy.
Taking an average of the three (policy, assurance, compliance) can provide an overall rating of effectiveness.
The following scoring system can provide a qualitative assessment of the adequacy of existing security controls against perceived risk. Note: A score of 5 might suggest the possibility of diverting costs or resources elsewhere while still achieving adequate risk management in this area.
If you assess each control against 3 criteria (Policy, Assurance, and Compliance) using the above 1 to 5 rating system, then you can take an average of the 3 elements to produce a 'Control Effectiveness' rating.
Or, equally, you could choose to use the lowest score of all three. So if a particular control (eg: Security Policy, Induction training, Threat Assessment Procedure, boomgate systems, or whatever) scores 4 for Policy, 4, for Assurance, but only 2 for Compliance, you might choose to rate is as a '2' because this is the weakest link in the chain. Or you might average the 3 to produce a rating of 3.33.
It isn't all that important which method you use (average or lowest) so long as you are a) consistent and b) understand the limitations of such a process. Some of the limitations might include the subjectivity of the assessors, or the level of vulnerability. For example, a control which scores 5 for Assurance, and 5 for Compliance but only 1 for Policy will have an average score of 3.7. But clearly, no matter how much people comply with it and the levels of assurance you may have regarding it's application, but if it's a truly poor policy in the first place, then it could well be a massive vulnerability.