Question 4: Did we do a good job?
As you continue with your system’s development or sustainment process, threat model in hand, your team can make use of a variety of approaches to evaluate the success of your Q3 mitigations.
System Improvements
The first approach reflects the degree to which your threat model has informed the development of your system.
For systems still in development, identify design decisions influenced by your threat modeling analysis.
For systems already deployed, identify actionable outcomes where changes to your infrastructure may take place due to your threat modeling analysis.
Alternatively, your team may call for a security assessment, in which an internal or external team could evaluate or probe your system to determine its security and whether the controls you’ve deployed across your system are effective. While these sources of feedback, and others, can be drawn upon with varying degrees of complexity, the most effective means of evaluating your mitigations is with a secondary review.
Secondary Review
When performing periodic reevaluations, your team should ask key questions and review associated metrics to ensure existing implemented controls are reviewed and, if needed, updated to maintain effectiveness and currency with organizational objectives. The purpose of a secondary review is to effectively reassess your threat model, determine remaining risks, and figure out what additional defensive actions need to be taken. Some valuable questions include:
Are your existing risk ratings correct? Should they be changed given new theoretical or evidence-based findings?
Does your team have the right composition? Are you looping in stakeholders with a diverse range of backgrounds and perspectives?
What additional changes have been made to your system since the last review? Does your existing model accurately reflect their state of deployment?
Are the same critical assets being used to accomplish the system’s purpose? Have certain security controls become obsolete or redundant?
There are existing processes or data sources you can leverage to answer these questions. Perhaps your organization has a process for system risk acceptance, or you actively track system patches and compliance metrics. These can all inform your secondary review and give you the answers you need. From this secondary review, you’ll be able to ensure that your mitigations are sufficiently tailored to your system as it evolves with time.