Understanding control coverage and control checks

  • Updated

This article gives you an overview of Panaseer control coverage, what it means for a Device to be covered by a control and a step-by-step guide that helps you create your control coverage Dashboard.

Checking the coverage of your security controls

Control coverage is the term used to describe how well your security controls cover your Devices. For example, if we say that your vulnerability scanner covers 50% of your Devices, it means that it is scanning 50% of your Devices.

Control coverage can be defined in many ways, and the value of control coverage metrics will vary. For example, you could determine the control coverage of your AV tool as follows:

  • The Device is covered if it has the AV tool installed.
  • The Device is covered if it has ever had a record in the AV tool.
  • The Device is covered if it has had a record in the AV tool in the last 14 days.

The logic we use to define control coverage within the Panaseer platform is configured via Control Checks. For each data source or Control that you'd like to measure the coverage of, we create a specific Control Check to define what that means. Every coverage Control Check has three distinct pieces of logic:

Piece of logicDescription
ExpectedThe first piece of logic defines the set of Devices that are expected to be covered by your control.
SeenThe second piece of logic defines what it means for a Device to be 'seen' by the control.
RecentlyThe third piece of logic defines how recently a Device needs to have been 'seen' by the control for us to consider it covered. 

A control covers a Device if it is expected to be covered and has been seen by the Control recently (i.e., the Device passes all three pieces of logic). 

Control checks - the codification of a policy

A control check serves as a measurable, automated test that translates or "codifies" a specific cybersecurity policy into actionable checks. Essentially, it takes a policy, such as ensuring that all devices have up-to-date antivirus software, and turns it into a series of programmed rules or conditions that the platform can verify across the organization’s assets. Checking each asset and flagging if it passes or fails the check.

 By codifying policies into control checks, Panaseer enables continuous, automated monitoring that quickly identifies areas where security requirements may fall short, helping organizations maintain consistent compliance and improve their cybersecurity posture.

Control Check logic example

For your AV tool, your Control Check logic might look like this:

AV tool control check logic

It is essential to understand this definition of control coverage, as it is the foundation of all coverage-based metrics you see on your Dashboards.

Several metrics are based on these coverage Control Checks, for example:

  • Devices expected in a source - The number of Devices that pass the 'Expected' logic.
  • Number of Devices missing from a source - The number of Devices that pass the 'Expected' logic but fail the 'Seen' or 'Recently' logic.
  • Percentage of Devices missing from a source - The percentage of Devices that are missing from a source, out of those that are expected in a source.

As you can see, to understand these metrics, you must first understand how your coverage Control Checks have been configured and the impact that the logic has on the definition of control coverage. As a summary of possibilities when it comes to coverage categories:

Coverage categoryExpectedSeenRecentlyDescription
CoveredtickticktickDevice is covered by the control, as expected.
MissingticktickcrossDevice is missing from the control, as it is expected and has been seen, but not recently enough.
MissingtickcrosscrossDevice is missing from the control, as it is expected but hasn't been seen.
ReviewcrossticktickDevice has been seen by the control and is not expected. This should be reviewed as it indicates a configuration issue within the Control Check or your source system.
ReviewcrosstickcrossDevice has been seen by the control and is not expected. This should be reviewed as it indicates a configuration issue within the Control Check or your source system.
Not coveredcrosscrosscrossDevice is not covered by the control, as expected.

 

 

Was this article helpful?

1 out of 1 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.