# Assurance Reporting Assurance Reporting is a [[Control Verification]] capability. Assurance reporting enhances the transparency, accountability, and trustworthiness in security capabilities by offering an objective evaluation of the organization's security posture, control performance, and remaining risks. Reports are generated on an on-going basis to help the organization understand its risks at any given point in time and build a feed of potential exploitable opportunities for monitoring to discover adversary developments. ## Map ``` mermaid <!-- element style="width:90%; height:auto" --> graph TD Top[[Cybersecurity]] --- D[[Control Verification]] D --- D.1[[Attack Surface Enumeration]] D --- D.2[[Resilience Testing]] D --- D.3[[Risk Prioritization]] D --- D.4[[Remediation Management]] D --- D.5[[Assurance Reporting]] %% Class Definitions %% ===================== class Top,A,A.1,A.2,A.2,A.3,A.4,A.5,A.6,B,B.1,B.2,B.3,B.4,B.5,C,C.1,C.2,C.3,C.4,D,D.1,D.2,D.3,D.4,D.5,E,E.1,E.2,E.3,E.4,E.5,E.6 internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:black,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E cssClassL1; classDef cssClassL1 fill:darkblue,stroke:darkblue,stroke-width:4px,font-size:15px,font-color:white; class A.1,A.3,A.4,A.5,A.6,B.1,B.2,B.3,B.4,B.5,C.1,C.2,C.3,C.4,D.1,D.2,D.3,D.4,D.5,E.1,E.2,E.3,E.4,E.5,E.6 cssClassL2; classDef cssClassL2 fill:blue,stroke:blue,stroke-width:4px,font-size:15px,font-color:white; class D.5 cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ## Definition >[!success] Definition >Assurance reporting is the process of providing stakeholders with an assessment of the reliability and effectiveness of an organization's processes and controls in maintaining effective adversary resilience. ## Goals >[!cm-goal] Goal 1 > **Transparency:** Provide stakeholders with insight into the organization's security posture and control performance to support response activities. >[!cm-goal] Goal 2 >**Accountability:** Hold teams and individuals accountable for resolving risks quickly and for maintaining security standards to support cyber resilience of the organization's assets. >[!cm-goal] Goal 3 >**Trustworthiness:** Establishing confidence in the securability and cyber resilience of the organization by demonstrating the organization's commitment to cybersecurity. >[!cm-goal] Goal 4 >**Decision-Making:** Equipping decision-makers with reliable information to make informed choices regarding risk management, resource allocation, and strategic planning. >[!cm-goal] Goal 5 >**Continuous Improvement:** Identifying areas for enhancement and optimization through regular assessments and feedback loops, leading to the refinement of security measures and processes over time. ## Scope ## Process Scoping Evidence Collection Analysis Reporting Action Planning ## Metrics >[!cm-metric] Metric: [[% Securability by Asset Category]] >[!cm-metric] Metric: [[% of Controls not Operating within Established Thresholds]] >[!cm-metric] Metric: [[Total Number of Policy Violations]]\ >[!cm-metric] Metric: [[% of Compliance with Standards]] >[!cm-metric] Metric: [[% of Evaluated Controls with Findings]] >[!cm-metric] Metric: [[% of Incidents related to a known vulnerability]] ## Inspiration & Resources + [Stop Using "SLA" When Discussing Vulnerabilities (linkedin.com)](https://www.linkedin.com/pulse/stop-using-sla-when-discussing-vulnerabilities-jacob-williams-i0uae/) ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.