Information Technology Reference
In-Depth Information
produce a gap analysis report and remediation report. This is a reasonable method
and reasonably useful for smaller efforts. A major challenge is consolidating many
separate findings in a single, aggregate enterprise report. Any given gap analysis
may be many tens of pages. The accompanying remediation analysis may be the
same. If there are many tens of sites, a purely subjective aggregate report becomes
confusing. The need to consolidate the findings from 20 different sites, each with a
20-page gap report and 20-page remediation report, can result in as many as 8,000
pages of raw reports, or more. Consolidating these findings in a single, compre-
hensible, useful report is extremely difficult. A better approach is to add objective
quantification to assist in making sense of the consolidated findings.
8.4.1.2 Compliance Assessment: Objective (Quantification)
One solution to produce an aggregate enterprise report is via assessment
quantifica-
tion
. Objectively quantifying subjective observations means that compliance levels
can be represented numerically. Although such numeric compliance scores find no
basis in legislation, consistent quantification provides useful, internally relevant
comparisons. The benefits to such quantification include:
n
The initial score provides a baseline to compare future assessments against to
objectively measure progress, stasis, or regression.
Executive summaries may include an easily understood X% compliance level
summary, including graphic depictions of:
Top and bottom sites/divisions in compliance
Compliance elements with largest gaps across the enterprise
Consistent results can be obtained from concurrent multiteam, multisite
efforts.
Assessors may make recommendations for intelligent resource allocations in
remediation efforts all based on measurable results versus gut feel.
n
−
−
n
n
The compliance score reflects the level of compliance. Whatever scale is used, it
will be an artificial scale with no basis in inherent value or really have any meaning
outside the organization itself. A suggestion for the compliance level scale is 0 for
nothing, 4 for full compliance, and partial compliance scores of 1 through 3, rep-
resenting low, medium, and high, respectively. This low-granular quantification is
more likely to find consistency across multiple assessors. A scale of higher granular-
ity (0 through 20), which attempts to quantify nuances of high compliance, often
results in inconsistent results. A simple guide as to what constitutes low, medium,
and high will assist multiple assessors to interpret findings in a consistent manner.
Consistency is important among the various sites or divisions for any given assess-
ment, as well as from one assessment to the next. Consistent results promote the
ability to generate statistics, and track and trend over a series of assessments.
