Gaining organizational effectiveness

The four key organizational governance steps to maximizing the value that is delivered by Risk are as follows:

Change management

Develop a tailored, dedicated change management process for risk management, taking into account the new capabilities provided by Tanium.

  • Update SLAs and align activities to key resources for risk management activities across IT Security, IT Operations, and IT Risk and Compliance.
  • Identify internal and external dependencies to your risk management process. For example, achieve effective integrations with Comply and Patch.
  • Designate change or maintenance windows for various risk management scenarios. For example, emergency patching versus general maintenance patching.
  • Create a Tanium steering group (TSG) for risk management activities, to expedite reviews and approvals of processes that align with SLAs.

RACI chart

A RACI chart identifies the team or resource who is Responsible, Accountable, Consulted, and Informed, and serves as a guideline to describe the key activities across the security, risk/compliance, and operations teams. Every organization has specific business processes and IT organization demands. The following table represents Tanium’s point of view for how organizations should align functional resources against risk management. Use the following table as a baseline example.

Task IT Security IT Operations IT Risk/Compliance Executive Rationale

Risk coverage of endpoints

C A/R C - The IT Operations team owns the Tanium platform and is accountable and responsible for the deployment of the Tanium agent, including the Risk module. Tanium agent coverage is essential to understand risk in the environment. IT Operations consults with the IT Security and IT Compliance teams on the coverage to identify gaps.

Identify and monitor business critical endpoints

A R C I The IT Security team monitors business critical endpoints to ensure actions can be taken to reduce risk. The IT Operations team identifies business critical assets and consults with the IT Compliance team to ensure accurate identification of those business critical endpoints. The Executive team is informed to monitor risk.
Monitor the risk score for the enterprise A/R R R C The IT Security team monitors the risk score for the enterprise so that action can be taken if the risk score is too high. The IT Operations and IT Compliance teams define endpoint criticality, ensure Risk coverage, and take necessary actions to reduce the risk score over time. The Executive team is consulted on acceptable risk levels and the actions taken to reduce risk.
Risk work flow (click image to enlarge)

Organizational alignment

Successful organizations use Tanium across functional silos as a common platform for high-fidelity endpoint data and unified endpoint management. Tanium provides a common data schema that enables security, operations, and risk/compliance teams to assure that they are acting on a common set of facts that are delivered by a unified platform.

In the absence of cross-functional alignment, functional silos often spend time and effort in litigating data quality instead of making decisions to improve risk management.

Operational metrics

Risk maturity

Managing a risk management program successfully includes operationalization of the technology and measuring success through key benchmarking metrics. The four key processes to measure and guide operational maturity of your Tanium Risk program are as follows:

Process Description
Usage how and where Tanium Risk is used in your organization
Automation how automated Tanium Risk and the underlying data collection is, across endpoints
Functional Integration how integrated Tanium Risk is, across IT security, IT operations, and IT risk/compliance teams
Reporting how automated Tanium Risk is and who the audience of risk score reporting is

Benchmark metrics

In addition to the key processes, the four key benchmark metrics that align to the operational maturity of the Tanium Risk program to achieve maximum value and success are as follows:

Executive Metrics Risk Coverage Risk Score % of Optimal Endpoints
Description Percentage of endpoints on which all risk vector scores were calculated in the last 30 days. A numerical score that represents the overall risk of the enterprise based on data from every managed endpoint. Percentage of endpoints where the Risk Coverage metric reports Risk as optimal.
Instrumentation

Uses the Risk client extensions status to confirm that endpoints are reporting risk scores as well as the Impact - Coverage Status, Reveal - Coverage Status, Comply - Coverage Status, and SSL Server Audit Tools Required sensors to determine the endpoints where Risk is optimal, needs attention, and unsupported.

For more information about the states reported by this metric, see Monitor and troubleshoot Risk health. For supported endpoint operating systems, see Endpoints.

The following formula is used to calculate the risk score for each managed endpoint:

(Risk Vectors x Endpoint Criticality) x (100% - Compensating Control %) = Endpoint Score

Uses the Risk Coverage metric to determine the number of endpoints that report Risk as optimal divided by the total endpoints on which risk vector scores were calculated in the last 30 days multiplied by 100.

The Optimal status indicates that all necessary tools, configurations, and scans are installed and complete for an endpoint.

For more information, see Risk Coverage.

Why this metric matters If you are not including all endpoints in your risk assessment, you do not have a complete picture of the risk in your environment. As you lower the risk score for your enterprise, you improve your compliance and risk posture. If all endpoints are not in an optimal state, they might not be reporting complete data to Risk, and you do not have an accurate picture of the risk in your environment.

Use the following table to determine the maturity level for Tanium Risk in your organization.

    Level 1
(Needs improvement)
Level 2
(Below average)
Level 3
(Average)
Level 4
(Above average)
Level 5
(Optimized)
Process Usage No dependent modules are configured, and endpoint criticality is left at the default values for all endpoints. Core content and Comply are configured and feeding into Risk. Core content, Comply and one additional dependent module are configured and feeding into Risk. Core content, Comply, Impact and Reveal are configured and feeding into Risk, but not on all applicable endpoints. Core content, Comply, Impact and Reveal are configured and feeding into Risk, and endpoint criticality is set for all applicable endpoints.
Automation

Only manual, ad hoc compliance and vulnerability assessments in use for Comply.

See Comply User Guide: Operational metrics.

Only manual, ad hoc compliance and vulnerability assessments in use for Comply.

See Comply User Guide: Operational metrics.

Automated, recurring configuration compliance and vulnerability assessments for Comply.

See Comply User Guide: Operational metrics.

Automated, recurring configuration compliance and vulnerability assessments for Comply.

See Comply User Guide: Operational metrics.

Partially automated patching using Patch (>50% of patch deployment process automated).

See Patch User Guide: Operational metrics.

Functional integration Risk installed, but dependent modules are not installed or configured Core content and Comply are configured and feeding into Risk. Core content, Comply and one additional dependent module are configured and feeding into Risk. Core content, Comply, Impact and Reveal are configured and feeding into Risk. Core content, Comply, Impact and Reveal are configured and feeding into Risk.
Reporting Manual; Reporting for Operators only Manual; Reporting for Operators only Automated; Reporting for Operators only Automated; Reporting tailored to stakeholders ranging from Operator to Executive Automated; Reporting tailored to stakeholders ranging from Operator to Executive; Drive business decisions using reports
Metrics Risk Coverage 0-49% 50-69% 70-94% 95-98% ≥99%
Risk Score 751-1000 501-750 501-750 251-500 0-250
% of Optimal Endpoints1 0-69% 70-79% 80-89% 90-98% 99-100%

1 Endpoints have all applicable vectors collecting data