Cybersecurity controls are evaluated to determine whether they are designed appropriately and are operating as intended to mitigate identified cyber risks
Context and Guidance: Cybersecurity control effectiveness should be evaluated by comparing the intended outcome of cybersecurity controls to the actual outcome. The organisation may use performance metrics or other defined indicators to identify cybersecurity controls that are not designed appropriately. For example, if a biometric authentication device has a high false negative rate and exceptions are made for personnel access, the configuration of the control should be evaluated to determine if tuning is necessary to improve performance of the device.
Related Practices • Input From: Implementing ARCHITECTURE-1g provides input that may be useful for implementing this practice. • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: RISK-3b, RISK-3c, RISK-4c, RISK-4d.