Control Health and Effectiveness Rating (CHER) Procedure
This is a Controlled Document
In line with GitLab’s regulatory obligations, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.Purpose
Control Health and Effectiveness Ratings (CHER) determine a GitLab Security Controls overall control health and effectiveness.
Scope
Observation risk ratings play a key role in determining how to establish a controls CHER. The procedures outlined in the sections below are used specifically by the Security Assurance Team once an observation’s risk rating is determined. Team members utilizing the CHER for rating information system risks outside of control testing activities will not need to engage in the procedures below.
Procedure
Determining the Individual Control Health & Effectiveness Rating (CHER)
Risk rating and determining effectiveness
The importance of risk rating each control observation comes into play when making a final determination on how to establish a control’s Control Health & Effectiveness Rating (CHER). CHER ratings on a sliding scale outside of the typical effective/ineffective rating used for compliance, allow for clearer communication and prioritization with broader audiences outside of compliance functions and allows non-compliance stakeholders the ability to view how observations impact the control environment.
CHER provides a qualitative value of a control’s effectiveness that is used as an input for various processes within the Risk Management Program. When needing to report to management, these quantitative values are translated to qualitative terms: Fully Effective, Substantially Effective, Partially Effective, Largely Ineffective, Ineffective. Refer to the CHER Quantitative vs. Qualitative Terms and Definitions Table below for a mapping of CHER to its definition and the related qualitative term and definition. Use the rating determined by completing the observation risk rating with likelihood and impact scores and applying that risk rating into the table below (i.e if a control has 1 low risk observation per the Observation Risk Rating table, the CHER for that control would be a 2 (Substantially Effective)).
CHER Quantitative vs. Qualitative Terms and Definitions (For individual controls)
| Quantitative Value | Quantitative Definition | CHER Qualitative Term | Qualitative Definition |
|---|---|---|---|
| 1 | The control has no outstanding HIGH, MODERATE, or LOW risk observations open. | Fully Effective | Nothing more to be done except review and monitor existing controls. Controls are well designed for the risk, and address the root causes. Management believes they are effective and reliable at all times. |
| 2 | There are no outstanding HIGH or MODERATE risk observations associated with the control, but there are some LOW risk observations that are open | Substantially Effective | Most controls are designed correctly and in place and effective. Some more work to be done to improve operating effectiveness or there are doubts about operational effectiveness and consistent reliability. |
| 3 | There are no outstanding HIGH risk observations associated with the control, but there is a single open MODERATE (below 9 rating) risk observation and any number of LOW risk observations. | Partially Effective | Design of controls is largely correct and they treat most of the root causes of the risk, however they are not currently operating very effectively. |
| 4 | There are no outstanding HIGH risk observations associated with the control, but there are multiple open MODERATE (below 9 rating) risk observations OR a single open MODERATE risk observation with a 9 rating. There can be any number of LOW risk observations. | Largely Ineffective | Significant control gaps. Either controls do not treat root causes or they do not operate at all effectively. |
| 5 | There are outstanding HIGH risk observations associated with the control. | Ineffective | Practically no credible control. Management has almost no confidence that any degree of control is being achieved due to poor control design or very limited operational effectiveness. |
| 0 | The control is not yet implemented. | Control Not Implemented | Control is not implemented and this is expected. This is different from a control gap because of the awareness around the control and the intentional exclusion of the control from being a key control in the environment. There are other sufficient controls to secure the environment in place. |
Quantitative vs. Qualitative Terms and Definitions
CHER is assigned on a control by control basis but in instances where we want to report on control family effectiveness, the CHER for each of the individual underlying controls in a control family can be averaged to provide a more holistic view. Refer to the Control Family Effectiveness Rating Table below for a mapping of averaged CHERs to the qualitative term and definition that can be used to report on control family health/effectiveness. Note that when using this table the final average of CHER values should be rounded up to the nearest quantitative value to determine the CHER for the control family (i.e if average of all CHER’s equals 2.3, the final CHER for the control family would be rounded up to a 3).
Control Family Effectiveness Rating Table
| Quantitative Value | Control Family Effectiveness Rating Qualitative Term | Qualitative Definition |
|---|---|---|
| 1 | Fully Effective | Nothing more to be done except review and monitor the existing controls. Controls are well designed for the risk, and address the root causes. Management believes they are effective and reliable at all times. |
| 2 | Substantially Effective | Most controls are designed correctly and are in place and effective. Some more work to be done to improve operating effectiveness or management has doubts about operational effectiveness and reliability. |
| 3 | Partially Effective | While the design of controls may be largely correct in that they treat most of the root causes of the risk, they are not currently operating very effectively. |
| 4 | Largely Ineffective | Significant control gaps. Either controls do not treat root causes or they do not operate at all effectively. |
| 5 | Ineffective | Virtually no credible control. Management has no confidence that any degree of control is being achieved due to poor control design or very limited operational effectiveness. |
Exceptions
The process of completing control assessments will always require an associated CHER rating. There are no exceptions to this process.
References
- System Risk Scoring
- GCF Control Lifecycle
- Sarbanes-Oxley (SOX) Compliance
- Observation Creation Procedure
- Observation remediation Procedure]
- Observation Management Project
Contact
If you have any questions or feedback about the observation management process please contact the GitLab Security Assurance Team
3fb9ff9f)
