This page contains information to assist our customers with utilizing the Categorization feature in RegScale. It describes what it is, why you would use it, the benefits, and provides instructions on getting started.
The categorization feature is used to dynamically build out controls for a given system security plan or component based on the answers to a structured set of questions.
There are many reasons to use this feature which include:
- Completing steps 1 and 2 of the NIST Risk Management Framework (RMF) - Categorize and Select Controls
- Streamlined, simple, and consistent user experience for categorizing systems
- Applying a risk-based approach to tailoring control selection
This feature has multiple benefits for an organization; to include:
- Improved quality through consistent application of controls based on a structured process
- Less manual data entry through a structured wizard approach
- Consistent data tagging to support data protection and Information Security (InfoSec)
- Less compliance work by tailoring control selection based on risk
Instructions for using this feature are provided below (NOTE: This feature is only available for Enterprise Edition (EE) customers):
Step 1: Build out the Categorization Engine
- From the Module menu, go to Regulators, and select Categorization Engine
- Click the "Create New" button
- Give the Engine a descriptive name (i.e. RMF Categorization Engine) (NOTE: You can build multiple categorization engines for different purposes, for example, one for RMF for security plans, another for 3rd party risk for vendors, and another for applications)
- Click the "Save" button on the toolbar to unlock the next step
- This portion of the engine will allow you to build a set of True/False questions
- If the answer to the question is "True", then the engine will apply the profile you selected (NOTE - you should pre-build the profiles you want to use before adding questions. See Security Profile Documentation)
- Continue building the questions for categorization and mapping them to controls until completed
- Each question answer will layer in the new controls like making a stack cake. If the controls already exist in another layer, they will not be added twice.
- Once done, you are ready to apply the Categorization Engine as described below in Step 2
Step 2: Apply the Categorization Engine to a Component or Security Plan Module
- Select any Security Plan or Component and navigate to the data entry form for that record
- In the Utilities section on the left side, select the "Categorization" option
- Select the Categorization Engine that you wish to use
- Next, select the information types from the Classification system that will be part of this system. See Classification System Documentation
- Next, complete the assessment by answering the questions from the categorization engine. As you answer questions, it will tell you the total number of controls being applied based on the answers.
- Finally, review the answers to ensure they are accurate and press the "Finish" button (NOTE: the confirmation page will show the total number of unique controls based on the answers to the questions)
- A modal will pop up giving you the results from applying the categorization engine (# of new controls created, # of duplicate controls between profiles that were ignored, and # of controls that already existed on the record and were ignored)
- You will then be redirected to the main form where you will see the new controls in the Explorer navigation system
Updated 2 months ago