Policy Set Enforcement Scores

The Policy Set Enforcement Score is a metric introduced in Elisity Cloud Control Center (CCC) to quantify and visualize how well policies are enforced within each Policy Set. By incorporating Policy Group Security Levels (PG Security Levels), this score enables organizations to assess their network's policy coverage, prioritize improvements, and align segmentation practices with the IEC 62443 standard.

A Policy Set represents the security policies applied to assets within a specific environment. The Policy Set Enforcement Score evaluates the extent and criticality of these policies across Policy Groups. It uses a weighted scoring model based on the assigned PG Security Levels, differentiating between Active and Simulated policies, and calculates an overall enforcement percentage.

This score provides a concise indicator of policy coverage for each Policy Set, empowering administrators to optimize their network segmentation and strengthen their security posture.


Core Concepts

Policy Group Security Levels (PG Security Levels)

PG Security Levels classify Policy Groups by their criticality, following IEC 62443 guidelines:

  • Level 1 (Low Impact): Minimal security requirements.
  • Level 2 (Medium Impact): Moderate security requirements.
  • Level 3 (High Impact): High security requirements.
  • Level 4 (Critical Impact): Highest security requirements.

Policy Groups can optionally have No Security Level assigned, in which case they are excluded from the score calculation.

Security Levels can be changed directly in the Policy Groups page by clicking the Security Level label and selecting the appropriate Security Level from the list.

For further instructions on how to view and assign Security Levels to Policy Groups, see this section of the Policy Groups article.

Impact of Security Levels on Enforcement Scores

Policy Groups of higher criticality hold more weight in the calculation of the Enforcement Score for a given Policy Set. This assists in determining overall level of risk, as lack of policy coverage on critical assets can have a dramatic impact on your enforcement score compared to low criticality assets.

UnassignedPG and InternetPG Groups are excluded by default as they do not have security level assignments.

Impact of Simulated vs. Enforced Policies on Enforcement Scores

Simulated policies are considered in the calculation of the Enforcement Score, but they carry less weight than enforced policies. This differentiation reflects the reduced level of protection provided by simulated policies, as they do not actively block or restrict access.

  • Enforced Policies: Enforced policies are given full weight in the score calculation, as they actively govern traffic between Policy Groups, ensuring security and compliance.

  • Simulated Policies: Simulated policies contribute 10% of the weight compared to enforced policies. This inclusion acknowledges the role of simulated policies in testing and validation but emphasizes the importance of transitioning to active enforcement for robust security.

By factoring simulated policies into the score, the system encourages iterative policy development and testing while highlighting areas where enforcement needs to be strengthened to mitigate risks. The algorithm used to determine the Policy Set Enforcement Score is outlined in the following section.

 

Enforcement Score Calculation Methodology

1. Assign Weights:

  • Each Policy Group is assigned a weight corresponding to its Security Level (1-4).
  • Groups with No Security Level are excluded.
    Security Level              Description       Weight
Level 1 Low Impact 1
Level 2 Medium Impact 2
Level 3 High Impact 3
Level 4 Critical Impact 4
None No Security Level Assigned 0

 

2. Calculate Cell Points:

For Active Policies:

Active Cell Points = (Weight of X Policy Group + Weight of Y Policy Group) / 2

For Simulated Policies:

Simulated policies hold 10% value of enforced policies. (If your entire Policy Matrix is simulated, you would have an enforcement score of 10/100)

Simulated Cell Points = [(Weight of X Policy Group + Weight of Y Policy Group) × 0.1] / 2

3. Aggregate Points:

Sum the points for all eligible, filled cells.

4. Normalize the Score:

Calculate the score as a percentage of filled cell points over the total potential points:

Policy Set Enforcement Score = (Sum of Points for Filled Cells / Sum of Points for All Eligible Cells) × 100

 

Enforcement Score Calculation Example

A Policy Set contains 80 eligible cells in the Policy Matrix, and policies have been applied to 50 of these cells. The total weighted score of the filled cells is 240, and the maximum possible score is 320.

Example Calculation

The Policy Set Enforcement Score is calculated as follows:

Policy Set Enforcement Score = (Sum of Points for Filled Cells / Sum of Points for All Eligible Cells) × 100

Using a specific example:

Policy Set Enforcement Score = (240 / 320) × 100 = 75

Explanation:

  • Sum of Points for Filled Cells: The total weighted score of policies applied to eligible cells (240 in this example).
  • Sum of Points for All Eligible Cells: The maximum possible weighted score if all cells had policies (320 in this example).
  • Score Result: The calculated score is 75, indicating "Good" coverage within the Yellow range.

Interpretation:

The score of 75 indicates Good coverage (Yellow range), with room for further optimization.

Score Ranges and Color Coding

To enhance usability, the score is categorized into four ranges with corresponding color codes:

Range Color Interpretation
0-10 Red Poor Policy Coverage; Critical improvement needed.
11-50 Orange Moderate Policy coverage; requires attention.
51-75 Yellow Adequate coverage; opportunities for improvement.
76-100 Green High Policy Coverage; robust policy enforcement.

 

Viewing Policy Set Enforcement Scores

Policy Set Enforcement Scores can be accessed from two primary locations within the Elisity Cloud Control Center (CCC):

  1. Policy Set List View:
    In the Policy Set list, the Enforcement Score for each Policy Set is displayed in a dedicated column. This allows users to quickly compare scores across multiple Policy Sets and identify those requiring attention.

  2. Policy Matrix View:
    Within the Policy Matrix view of a specific Policy Set, the Enforcement Score is prominently displayed alongside the matrix. This contextual display provides immediate insights into the overall coverage and enforcement level while managing or reviewing policies.

Both views offer intuitive access to the scores, empowering administrators to assess and improve their network’s segmentation strategy effectively.

 

Use Cases

The Policy Set Enforcement Score is a versatile tool designed to assist organizations in several critical areas of security management and operational efficiency. Below are practical use cases:

1. Visibility and Assessment

The score provides an at-a-glance view of how effectively policies are applied across your network, especially to critical assets. By leveraging the Policy Set Enforcement Score:

  • Security teams can identify gaps in policy coverage, ensuring high-impact assets are not left unprotected.
  • Administrators can analyze policy effectiveness in real-time, enabling proactive adjustments to improve enforcement levels.

2. Prioritization of Resources

The scoring system highlights under-covered or high-risk areas in the network, guiding teams to allocate resources where they are needed most:

  • Focus on enhancing enforcement for Policy Groups with higher Security Levels, as these carry greater weight in overall risk mitigation.
  • Use the score to prioritize the transition of policies from simulation to enforcement, particularly for assets critical to operations or regulatory compliance.

3. Compliance and Audit Readiness

Aligning with standards like IEC 62443 requires structured segmentation and consistent policy enforcement:

  • The Policy Set Enforcement Score simplifies compliance tracking by visually representing coverage across critical assets.
  • Auditors and stakeholders can quickly assess whether network segmentation meets benchmarks, reducing the time and effort needed for compliance reporting.

4. Continuous Improvement

By integrating both simulated and enforced policies into the scoring model, the system supports iterative security improvements:

  • Organizations can test policies in simulation mode before full enforcement, reducing the risk of service disruption.
  • The score encourages ongoing refinement of segmentation strategies, enhancing overall network security posture over time.

5. Risk Communication

The score provides a quantitative and color-coded representation of security posture that can be easily communicated to non-technical stakeholders:

  • Executives and decision-makers gain a clear understanding of the network’s security status.
  • Teams can use the score to justify budget allocations for additional tools, resources, or training to improve enforcement.
Was this article helpful?
0 out of 0 found this helpful