Control Status
Purpose
This page provides a structured view of the current implementation state of security controls within Scheol Security Lab.
The objective is to:
- track actual control deployment
- highlight coverage gaps
- support risk visibility
- enable prioritisation of improvements
This page reflects the real state of the lab, not an intended or ideal target.
Status Model
Each control is assigned one of the following statuses:
| Status | Description |
|---|---|
| Established | Control is implemented and operational. |
| In Progress | Control is partially implemented or being actively developed. |
| Planned | Control is identified but not yet implemented. |
| Not Implemented | Control is relevant but currently absent. |
Control Status Overview
Controls are grouped by category for readability.
1. Identity & Access Control
| Control ID | Control Name | Status | Notes |
|---|---|---|---|
| C-XXX | Example control | Planned | To be defined |
2. Network & Exposure Control
| Control ID | Control Name | Status | Notes |
|---|---|---|---|
| C-XXX | Example control | Established | Reverse proxy and firewall rules in place |
3. System Hardening
| Control ID | Control Name | Status | Notes |
|---|---|---|---|
| C-XXX | Example control | In Progress | Hardening applied on VPS, incomplete on internal systems |
4. Monitoring & Detection
| Control ID | Control Name | Status | Notes |
|---|---|---|---|
| C-XXX | Example control | In Progress | Centralisation not fully implemented |
5. Backup & Recovery
| Control ID | Control Name | Status | Notes |
|---|---|---|---|
| C-XXX | Example control | Planned | External backups not yet deployed |
6. Governance & Documentation
| Control ID | Control Name | Status | Notes |
|---|---|---|---|
| C-XXX | Example control | In Progress | Documentation structure defined, not fully populated |
Status Interpretation
Control status should be interpreted as an indicator of:
- risk exposure level
- implementation maturity
- priority for improvement
A control marked as Established does not imply:
- full effectiveness
- complete coverage
- or validated performance
Validation is addressed separately in the Validation & Monitoring section.
Relationship with Risk Management
Control status is directly linked to risk exposure:
- risks without associated controls → unmitigated
- risks with partial controls → partially mitigated
- risks with established controls → subject to validation
This allows prioritisation based on:
- risk criticality
- control maturity
- operational constraints
Known Limitations
At the current stage:
- control coverage is partial
- status assignment may remain high-level
- some controls are not yet formally documented
- dependencies between controls are not fully represented
This reflects the current maturity of the lab and is expected to improve over time.
Current Maturity
At the current stage, control status tracking is considered early in progress.
Established
- definition of status model
- initial categorisation of control areas
- early visibility into implementation gaps
In Progress
- population of control status across all categories
- alignment between control definitions and actual implementation
- improvement of status accuracy and granularity
- linkage between control status and risk exposure
Planned / Next Phase
- full coverage of all defined controls
- better integration with validation and monitoring data
- improved visibility of dependencies and control interactions
- support for audit and reporting use cases
This page is intended to provide a transparent and evolving view of control maturity within the lab.