User:Gdestuynder/test/Scoring and other levels
NOT READY The goal of this document is to ensure consistency, coherence between security documents. All Mozilla security documentation should follow the recommendations below. The Enterprise Information Security (Infosec, formerly OpSec) team maintains this document as a reference guide for operational teams. Updates to this page should be submitted to the source repository on github. Changes are detailed in the commit history. |
Scoring and other levels
These levels should be used when possible.
RFC2119 handling recommendation levels
See also RFC 2119 for a formal definition.
Level | Expectations |
---|---|
OPTIONAL |
|
SHOULD |
|
MUST |
|
Recommended configuration states
These are used to match recommended configuration states. It describes set of documentation configuration state that we recommend using, depending on your use-case.
Level | Expectations |
---|---|
Modern |
|
Intermediate |
|
Old |
|
Document Status Codes
These are used in the header of every document to clearly signify its current status.
Level | Expectations |
---|---|
READY |
|
DRAFT |
|
NOT READY |
|
Pass/fail tests
Tests are not levels per se. When possible, they either pass or fail. It's similar to a walk/don't walk traffic sign.
Level | Coding rationale | Expectations |
---|---|---|
PASS |
|
|
FAIL |
|
|
Scoring levels
Scores are used to gamify usage of security controls and features. Note these levels do not directly signify risk, and are instead intended to provide a grade for a particular objective. The mapping to objective can be used as a base to create a mapping to Security/Standard_Levels.
The letter E is not used in the grades in order to keep scores concise and voluntarily less granular (see expectations for each grade below). The use of + and - modifiers is allowed if necessary. These are added to represent going slightly above or below expectations.
Level | Expectations |
---|---|
A+, A, A- |
Highest possible grade.
|
B+, B, B- |
|
C+, C, C-
D+, D, D- |
Score may moderately contribute to risk.
|
F |
Lowest possible grade, score may greatly contribute to risk.
|