-
Selecting a list of controls scaled for a business of their type and size
-
Developing an architectural model and road map for implementing the controls across the business or prioritized environments
-
Prioritizing deployment phasing across various IT environments using risk management
-
Sharing responsibility for control operation with third parties, such as cloud service providers (CSPs)
-
Aligning control operation with appropriate IT, development, corporate administration, and line of business (LOB) groups
6.1 Understand Control Baselines and Control Frameworks
6-1 | Work with the legal team(s) and lines of business to list compliance regulations that apply to the business. Use this list to determine which standard control frameworks the control baseline should reference and which objectives or activities it should comply with. |
6 | Compliance to a regulation or a checklist of controls equals (or guarantees) security. |
6.2 Address Common Challenges
-
Too many controls? Seeing the forest through the trees
-
Difficulty risk informing controls
-
Controls without a unifying architecture
-
Lack of structure for sharing responsibility with third parties
-
Controls out of line with business culture
6.2.1 Too Many Controls?
-
The Center for Internet Security (CIS) maintains a list of the “top 20” security controls7 curated through a community of IT experts. Its stated goal is to help practitioners see through the “fog of more” and identify a set of prioritized actions based on best practices for defense in depth.
-
NIST publishes a Cybersecurity Framework8 as a higher-level, more business-accessible list of controls that also provides pointers to the granular NIST 800-53, ISO 27001, COBIT, and the CIS top 20 controls.
7 | There exists one control baseline that is suitable for every business. |
6.2.2 Difficulty Risk Informing Controls
-
Selecting controls based on risk scenarios is currently more of an art than a science.
-
Operationalizing risk management throughout the enterprise also requires mature, risk-informed asset and vulnerability management, third-party management, and other processes.
-
It is sometimes difficult to determine which controls are reducing risk less than others and should be decommissioned during a budget cut or reallocation process
6.2.3 Controls Without a Unifying Architecture
6.2.4 Lack of Structure for Sharing Responsibility with Third Parties
6.2.5 Controls Out of Line with Business Culture
-
Security policy writers create control standards and requirements without engaging the business to learn whether the requirements are practical or provide guidance on how the business can best meet the requirements.
-
IT or LOB executives turn a blind eye to some security policies and don’t tell security teams in advance about all their digital innovation or procurement plans.
-
Developers use “port agility” to get traffic through the firewall even as the network security team tries to block it.
-
IT administrators kill the security team’s privileged access management (PAM) initiative with passive-aggressive or uncooperative behavior.
6.3 Select a Control Baseline from the Essential Control Domains
Control Domain | Summary Description |
---|---|
Security governance | Govern security roles, responsibilities, decisions, and strategy. |
Risk management | Create a taxonomy framework and processes to identify, assess, treat, monitor, and communicate risks. |
Security policies and awareness | Document security requirements for people and systems. Publicize them and motivate or empower users to follow them through user awareness training. |
Asset inventory | Discover IT assets, profile their risk, and identify all critical assets as well as asset owners. |
Third-party management | Discover third parties, profile their risks, and manage shared responsibilities for security. |
Network security and zoning | Protect network security, arrange IT assets in physical network segments or logical compartments (i.e., “zones”), and provide perimeter protections to the zones. |
Authentication, user account management | Manage employee, contractor, and other users’ accounts; authenticate access to those accounts. |
Access management and authorization | Enable asset owners to ensure that authenticated users can only access resources as prescribed by business policies. |
Security configuration and change management | Configure IT systems and applications in a secure manner and control changes to policies, configurations, documents, and code. |
Data protection | Classify and discover sensitive information. Apply encryption, tokenization, or data leakage protection (DLP) on data in motion, at rest, and in use. |
Secure software development and application security | Follow secure software development lifecycle (SDLC) and/or DevSecOps standards and practices in development projects. |
Vulnerability management | Scan IT systems and applications for software, hardware, or configuration vulnerabilities; prioritize and remediate vulnerabilities. |
Physical security | Monitor and protect the business’s physical facilities to safeguard the users and assets within the facilities as well as the facilities themselves. |
Secure HR practices | Perform background checks and ensure that people-related security practices (e.g., background checks) comply with laws and good practices. |
Real-time threat detection | Detect hacking, malware, and abuse against IT systems and devices; generate alerts to security monitoring systems; and triage alerts for effective response. |
Logging and log review | Generate and collect event logs of security-relevant information in keeping with security standards; review logs to detect threats or compromises of IT systems. |
User account monitoring | Monitor both standard user accounts and privileged user accounts for unauthorized, unusual, or suspicious activity. |
Incident response | Identify and investigate all types of incidents, contain threats, eradicate malware or damaged configuration, recover, and learn from incidents. |
Backup and data recovery | Back up data, configuration, and code of IT assets in a secure manner and test the ability to perform data recovery. |
Business continuity | Identify critical assets, create procedures and facilities to recover their functionality within a specified time in the event of outage, and test recovery. |
-
Definition: Brief definition of the control domain.
-
Description: Describes requirements for the control domain broadly aimed at attaining the Level 3, or “Defined” maturity level. Recall from Chapter 1’s section “Maturity,” Figure 1-6, that attaining the Defined maturity level requires that security roles, responsibilities, and policies be defined and established in at least some areas, but only requires manual means of verification.
-
Business dependencies: Identify the business functions that tend to be involved with the control domain deployment, for example, IT and development managers for security configuration and change management and HR for secure HR practices. Table 6-3 in section “Align Control Deployment and Business Functions” summarizes a master table of control domains and business interdependencies.
6.3.1 Serve Up a Balanced Diet of Controls
-
Identify (ID): Know what you have and what you need to protect.
-
Protect (PR): Endeavor to prevent harm to your IT assets or security objectives.
-
Detect (DE): When protection fails – and it will eventually – at least detect the problem.
-
Respond (RS): Upon detecting an attack, incident, or serious vulnerability, act to stop or contain it.
-
Recover (RC): Once the breach has been closed, fix the damage.
6.3.2 Identify All Aspects of Situational Awareness
Security Governance Control Domain |
---|
Definition: Governs security roles, responsibilities, decisions, and strategies through a set of processes and capabilities operated jointly by business and security leaders |
Description: Puts a CISO or other top security leaders in place. Defines the lines of authority, accountability, and responsibility for cybersecurity. Aligns cybersecurity risk, security policy, and resource allocation with business strategies. Reports security and risk status and progress to executives and stakeholders in business terms. |
Business dependencies: Executive stakeholders, LOB, and IT management. |
NIST CSF references: ID.GV: All four controls |
Risk Management Control Domain |
---|
Definition: Creates a taxonomy and process to identify, assess, treat, monitor, and communicate risk. |
Description: Discovers and communicates business leaders’ risk appetite and desired risk treatment strategies, that is, accept, avoid, mitigate, or transfer different kinds of risks. Puts a standard control framework in place and determines control selection and prioritization. Maintains and communicates risk register to management. Aligns with regulatory requirements, compliance, and audit functions. |
Business dependencies: Enterprise risk management, executive stakeholders, LOB executives, and compliance teams for basic program. Potentially any other business stakeholders depending upon the content of specific risk assessments. |
References: Chapter 5 NIST CSF references: ID.BE: Business environment ID.RA: Risk assessment ID.RM: Risk management ID.SC: Supply chain risk |
Security Policies and Awareness Control Domain |
---|
Definition: Documents security requirements for people and systems in the business and publicizes them through user awareness training. |
Description: Establishes a lifecycle management process for high-level policy and subordinate standard, guideline, and procedure document hierarchies. Seeks to promote secure behavior and a healthy security culture. Covers security governance, risk management, acceptable use of IT and information assets, data classification, access management, incident response, and other policies. Puts an awareness and training program in place. Refer to Chapter 3 for guidance on policy management and Chapter 4 for advancing awareness and the supporting security culture. |
Business dependencies: Executive stakeholders, LOB, IT, development leadership, and project management office (PMO) as well as awareness team and/or internal marketing team. |
NIST CSF references: ID.GV-1: Organizational policy PR.AT: All five controls |
Asset Inventory Control Domain |
---|
Definition: Discovers IT assets, profiles their risks, and identifies all critical assets as well as asset owners. |
Description: Maintains asset inventory databases, directory services, and other registries with information on the assets. Using asset risk profiles, identifies the organization’s most valuable, critical, or high-risk assets (aka “crown jewels”). Refer to Chapter 7 for consideration of “knowing what you have” as part of rationalizing IT and to Chapter 5 for more information on asset risk profiling. |
Business dependencies: Asset inventory functions are generally led by IT, development, and LOB managers. |
NIST CSF: ID.AM: All six controls ID.RA-1: Identify asset vulnerabilities PR.DS-3: Assets managed |
Third-Party Management Control Domain |
---|
Definition: Manages vendors, suppliers, and other third parties, profiles their risks, and manages shared responsibilities for security. |
Description: Provides security input on business decisions to use new third parties or make major changes to existing use cases. Sets standards for security controls or conduct by third parties. Conducts audits of third parties in the highest risk tiers. |
Business dependencies: Third-party management generally led by procurement or vendor management. IT management, LOB leadership, and other stakeholders initiate third-party relationships. |
References: Chapter 5 NIST CSF references: ID.SC: Supply chain risk |
6.3.3 Protect Information Systems and Assets
Network Security and Zoning Control Domain |
---|
Definition: Arranges IT assets in logical compartments or physical network segments (i.e., “zones”) and provides perimeter protections to the zones. Uses network firewalls, microsegmentation in data centers, virtual LANs (VLANs), and other solutions to enforce communications policies. Controls remote access to protected or restricted via virtual private networks (VPNs), jump hosts, or reverse proxies. |
Description: Protects network routing and control devices. Separates assets of different levels of criticality, or with different compliance or communications needs, using zones. Provides zone perimeter enforcement using network firewalls, host-based firewalls, virtual machine firewalls, or identity-based access controls to form physical or logical boundaries. |
Business dependencies: EA, IT, and development leaders and architects as well as compliance and audit, networking, network management, and endpoint security teams. |
References: NIST CSF references: PR.AC-3: Remote access PR.AC-5: Network segregation PR.AC-7: Device authentication PR-PT-4: Protect control networks |
Authentication and User Account Management Control Domain |
---|
Definition: Manages employee, contractor, and other users’ accounts; authenticates access to those accounts. |
Description: Manages user accounts in directory services and other authentication systems for all employees and third-party contractors or partners and authenticates access to resources by people, machines, or services on the network. Depending on the criticality of the accounts, supports passwords, biometric sign-on, or stronger authentication capabilities such as one-time password (OTP) token generators and contextual authentication services. Protects secret authentication credentials such as passwords from disclosure. For consumer accounts in some jurisdictions, includes core privacy features such as consent management. Uses special techniques, such as password vaulting, for privileged user accounts. |
Business dependencies: IT and development managers. Compliance and audit. |
References: Chapter 8 NIST CSF references: PR.AC-1: Manage IDs, credentials PR.AC-6: Identity proofing PR.AC-7: User authentication |
Access Management and Authorization Control Domain |
---|
Definition: Enables asset owners to ensure that authenticated users can only access resources as prescribed by business policies. |
Description: Enforces access control at multiple layers, such as network perimeters, access proxies, systems, databases or repositories, and applications. Controls fine-grained access permissions at the application level using security groups, roles, or attributes. Provides access management processes and workflows to request or review access. Provides access provisioning (and deprovisioning). |
Business dependencies: EA, IT managers, development managers, and any other stakeholder relying on shared IAM services or controlling a system affected by shared access control policies. Compliance and audit. |
References: Chapter 8 NIST CSF references: PR.AC-2: Physical access control PR.AC-3: Remote access PR.AC-4: Authorization PR.AC-5: Network access PR.PT-3: Least functionality |
Security Configuration and Change Management Control Domain |
---|
Definition: Configures IT systems, network devices, and applications in a secure manner and controls changes to policies, configurations, documents, and code. |
Description: Securely configures systems to reduce attack surface by applying least privilege and least functionality principles. Applies vendor or service provider secure configuration baselines. Supports change management to minimize “drift” from the baselines and uses automated tools to check operating system instances, workloads, and deployed application configuration settings against baselines for managed assets. |
Business dependencies: IT managers, development managers, and any other stakeholder controlling a system affected by shared security configuration and change control policies. Compliance and audit. |
References: NIST CSF PR.IP-1: Secure baseline configuration PR.IP-3: Change control |
Data Protection |
---|
Definition: Classifies and discovers sensitive information and applies core data security and privacy controls such as encryption or data leakage protection (DLP) on data in motion, at rest, and in use. |
Description: Encrypts data on the wire using Transport Layer Security (TLS) and similar protocols and encrypts data at rest on mobile devices. Databases and other critical repositories where large amounts of structured or unstructured sensitive data are stored may leverage secure configuration, access control, restrictive security zoning, and database audit and protection tools rather than encryption to avoid degrading functionality. Defines data classification policies and data owners and discovers or keeps an inventory of sensitive data in the IT environment. Chapter 8 discusses data governance which affects data protection as well as access control. |
Business dependencies: EA, IT managers, development managers, and any other stakeholder holding confidential or restricted data (especially when using shared data protection services). Compliance and audit. |
References: Chapter 8 NIST CSF ID.AM-5: Resource classification PR.DS-1: Data-at-rest protected PR.DS-2: Data in transit protected PR.DS-4: Adequate capacity PR.DS-5: Data leak protection |
Secure Software Development and Application Security Control Domain |
---|
Definition: Follows secure software development lifecycle (SDLC) and/or DevSecOps standards and practices in development projects. |
Description: Sets standards, training, practices, and tools enabling developers to create more secure systems and applications. Performs threat modeling and security reviews during the design phase or at intervals during agile development processes. Provides tools for static and dynamic software testing as well as vulnerability assessment to add assurance during the quality control process, at least for critical applications. Provides basic web application firewall (WAF) functionality. |
Business dependencies: Chief Technology Officer (CTO) and development leaders |
References: Chapter 7 (DevSecOps) NIST CSF references: PR.AC-4: Access control (for applications) PR.AT-1, 2: User awareness, training PR.DS-7: Separate development from production PR.IP-2: Implement secure SDLC PR.IP-12: Vulnerability management plan |
Vulnerability Management Control Domain |
---|
Definition: Scans IT systems and applications for software, hardware, or configuration vulnerabilities; prioritizes and remediates vulnerabilities. |
Description: Provides processes and tools for periodic automated vulnerability scanning and vulnerability remediation through patching or applying compensating controls. Patching processes take software updates from multiple vendors and/or a third-party vulnerability management tool. Prioritizes vulnerability remediation. For critical assets, tests patches before applying them to reduce chance of impact on users or disruption to production systems. |
Business dependencies: IT and development leaders, compliance and audit |
References: Chapter 5 (triage, prioritization) NIST CSF references: PR.IP-12: Vulnerability management plan PR.IP-1: Secure baseline configuration DE.CM-8: Vulnerability scans RS.MI-3: Vulnerability mitigation PR.MA-2: Remote maintenance PR.PT-3: Least functionality PR.DS-6: Integrity checking |
Physical Security |
---|
Definition: Monitors and protects the business’s physical facilities to safeguard the users and assets within the facilities as well as the facilities themselves. |
Description: Protects business facilities, such as office buildings, data centers, and servers. Provides physical access control systems, such as locks, alarms, and physical identity badge readers. Uses cameras and motion sensors to monitor facilities. Protects against natural threats such as earthquakes, fires, and floods. |
Business dependencies: Facilities management (physical security, executive protection, badging), IAM teams. |
References: NIST CSF references: PR.AC-2: Physical access control PR.IP-5: Physical security policy compliance DE.CM-2: Monitoring systems (a detect control) |
Secure HR Practice Control Domain |
---|
Definition: Performs background checks and ensures that people-related security practices (e.g., awareness training, policy enforcement) comply with laws and good practices. |
Description: Maintains and follows HR and/or security policies and procedures for background checks, hiring, contracting, awareness programs, terminations, incident investigations, and disciplinary actions as they relate to security. Provides input on any policy or procedure, such as monitoring staff emails and communications for leakage, or controls on personally owned mobile devices. |
Business dependencies: HR, security operations and monitoring, IAM, and international legal teams. |
References: NIST CSF: PR.IP-11: Cybersecurity included in HR practices |
6.3.4 Win the Race to Detect
Real-Time Threat Detection Control Domain |
---|
Definition: Detects hacking, malware, and abuse against IT systems, generates alerts to security monitoring systems, and triages alerts to enable effective response. |
Description: Provides multiple layers of defense to detect and prevent hacking and malware threats to the IT environment. Deploys intrusion detection systems as well as endpoint and server-level malware scanning and removal. Combines technical, procedural, and educational controls against phishing, which is the most common malware delivery method for targeted cyberattacks. Interfaces to incident response capabilities to quarantine, contain, or block any malware found on endpoints. Provides enough skilled staff to configure and tune the products, perform investigations, and orchestrate responses, such as cleaning infected systems or temporarily quarantining compromised network segments. Operates security information and event management (SIEM) capabilities, or makes use of cloud-enabled ones, to correlate security events and apply machine learning (ML) to detect anomalies. |
Business dependencies: IT teams, legal. |
References: Chapter 9 NIST CSF references: DE.CM-1, 4, 5, 7: Detect malware, unauthorized mobile code, suspicious network activity DE.AE-4,5: Understand, process alerts DE.DP: Detection processes (all controls) DE.CM-6: Monitor external services |
Logging and Log Review Control Domain |
---|
Definition: Generates and collects event logs of security-relevant information in keeping with security standards; reviews logs to detect threats or compromises of IT systems. |
Description: Operates on endpoints, servers, applications, infrastructure systems, network devices, and security services themselves. Creates processes and acquires tools to monitor and review the log information. Provides skilled technical security staff to analyze logs using basic log management and collection tools to identify indicators of compromise from the mass of normal activity. May begin to operate a SIEM or other advanced tools to supplement real-time threat detection with log-based detection as well as to produce security reports for audit or trend analysis. |
Business dependencies: IT and development teams, HR, legal, compliance. |
References: Chapter 9 NIST CSF PR.PT-1: Logging and log review DE.AE-1, 2: Analyze logs to baseline normal activity and attacks DE.AE-3: Collect and correlate log data from multiple sources |
User Account Monitoring Control Domain |
---|
Definition: Monitors both standard user accounts and privileged user accounts for unauthorized, unusual, or suspicious activity. |
Description: Monitors for common types of unusual user activity, such as multiple failed authentication attempts followed by access from an unexpected location. Complies with legal protections or work rules while performing the necessary monitoring, especially for privileged accounts, by combining technical, procedural, and educational controls. |
Business dependencies: IAM, HR, legal, audit, compliance teams. |
NIST CSF: PR.AC 1, 4, 6, 7: Capture user and access management events PR.PT-1: Audit logs collected per policy DE.AE-1: Baseline normal account activity DE.AE-3: Collect and correlate log data DE.CM-1, 3, 7: Monitor networks, devices, personnel activity |
6.3.5 Respond Effectively and Appropriately
Incident Response Control Domain |
---|
Definition: Identifies and investigates all types of incidents, contains threats, eradicates malware or damaged configuration, recovers, and learns from the incidents. |
Description: Provides a program to respond to incidents before breaches or other emergencies materialize. Enacts a set of response policies, plans, and processes that define what constitutes an incident, how each type of incident will be handled, and who is responsible for which activities. Provides technical capabilities and procedures to contain, investigate, and escalate incidents to executives and report them to external stakeholders such as customers, partners, regulators, law enforcement, and the general public. |
Business dependencies: Executive stakeholders, IT, development and LOB leaders, HR, legal, compliance, vendor management, public relations teams, and any other stakeholders affected by incidents. |
References: Chapter 9 NIST CSF RS.RP-1: Response planning RS.CO (communication): All controls RS.AN (analysis): All controls RS.MI (mitigation): All controls RS.IM (improvement): All controls |
6.3.6 Recover from Outages or Breaches
Backup and Data Recovery Control Domain |
---|
Definition: Backs up data, configuration, and code of IT assets in a secure manner and tests the ability to perform data recovery. |
Description: Prepares for the loss of IT systems or data by taking data backups, designating warm or cold standby systems for use in the event of an outage. Tests recovery of user data, configuration, and entire systems. May arrange relationships with outsourced providers of redundant compute, storage, and network resources. |
Business dependencies: Business continuity team, IT, development and LOB leaders, vendor management, and any other stakeholders affected by outages or data loss. |
References: Chapter 9 NIST CSF: PR.IP-4: Backups RC.RP-1: Recovery plan executed |
Business Continuity Control Domain |
---|
Definition: Identifies critical assets, creates procedures and facilities to recover their functionality within a specified time in the event of outage, and tests recovery. |
Description: Provides basic business continuity processes to recover critical assets identified during a Business Impact Assessment (BIA). Prepares for the loss of IT systems or data by taking data backups, designating warm or cold standby systems for use in the event of an outage. Creates contingency plans and performs failover tests or other tests. Manages recovery from regulatory, legal, and reputational damage in the event of a breach of sensitive data. May arrange cyber-insurance and relationships with outsourced providers of redundant compute, storage, and network resources. |
Business dependencies: Business continuity team, IT, development and LOB leaders, legal, vendor management, compliance teams, and any other stakeholders affected by outages or breaches. |
References: Chapter 9 NIST CSF: RC.RP-1: Recovery plan executed RC.MI-1, 2: Recovery plan improvement |
6.4 Develop Architectural Models and Plans for Control Implementation
6.4.1 Maintain Assessments, Target Architectures, and Implementation Road Maps
6.4.2 Use a Two or Three Lines of Defense Model for Control Assurance
-
First line (implementation and operations): IT and development business process or system owners perform most day-to-day implementation and operations work. For example, business staff use on-premise SAP systems or cloud-based Salesforce services with support from IT operations and development.
-
Second line (security administration, monitoring, and assurance): Security staff can back up IT operations staff to provide assurance by defining, validating, or checking IT’s security procedures. Security staff also often operate security tools such as cloud access security brokers (CASBs) and key management services that exist solely for assurance. Security staff perform security monitoring, security design reviews, and penetration testing from the second line as well.
-
Third line (audit): Audit can provide an independent check on the implementation, operations, and assurance processes in the first and second lines. Often a combination of internal auditors and external auditors operates according to an annual or semiannual schedule. Internal audit should report outside of IT, often directly to a Board of Directors’ Audit Committee. External audit reports (such as an American Institute of Certified Public Accountants (AICPA) Service Organization Control 2 (SOC 2)11 report or a Payment Card Industry Data Security Standard (PCI DSS)12 report) are also reported to compliance stakeholders.
6-2 | Internal audit or compliance functions should sample security assurance (second line) as well as IT operations (first line) functions for deficiencies in meeting the business security policies. The security organization should assist internal audit in maximizing insight and efficiency in its process and partner with internal audit on executive reporting to help make audit findings actionable for stakeholders. |
6.4.3 Apply a Shared Responsibility Model to the Control Baseline
Type of Third Party | Inter-dependencies and Evaluation Criteria |
---|---|
Generic vendor, partner, or third party | The following third party evaluation criteria flow down the table, applying to all vendors or third parties. All vendors or third parties should be viable businesses, offer or agree to acceptable contractual terms, and provide a security program with their own controls that are commensurate to the risks of the use case. In general, every third party should provide secure HR services, security policy and awareness, incident response, and other controls for itself. |
Commercial off-the-shelf (COTS) product vendor | Businesses deploy software or hardware products and rely on the vendor for secure software (or system) development, vulnerability management support, and training for the product. |
Full-time contractor staffing providers | Some onshore or offshore professional services companies provide contractors for staff augmentation, and some engagements last months or years. These staff may be treated similarly to the customers’ own employees. As the staffing provider’s customer, the organization will be depending on the provider’s secure HR practices and user account management to validate staff are employees in good standing at the contractor organization. However, the customer organization must also provide user account management and authentication for the individual contractors’ use within the customer’s IT environments. |
Software-as-a-service (SaaS) provider | SaaS CSPs provide turnkey applications on demand, such as Salesforce or Workday. Customers need the vendor to provide security for the full IT stack, but enable customer control of user account management for the customer’s staff, log review, and other application security features. |
Platform-as-a-service (PaaS) provider | PaaS CSPs provide an application development and application platform environment on which customers can build, host, and run COTS or custom applications. Customer PaaS requirements are similar to the SaaS ones; however, the customer needs more control over application and data security features in the service. |
Infrastructure-as-a-service (IaaS) provider | IaaS CSPs provide a compute virtualization and cloud storage environment on which customers can build, host, and run compute infrastructure and applications. Customers are responsible for all host-level security features in the guest OS. |
6.4.4 Tune Controls to Security and Business Needs
-
Risk and compliance
-
Cost and maintenance
-
Productivity and user experience
-
Market objectives
-
Customer needs
6-3 | Engage business and IT stakeholders who have a security-related role maintaining controls, are the business owners for assets protected by the controls, or whose operations or business objectives could be impacted by the controls. Tune control deployment style to their business needs and risks. |
6.5 Scale and Align the Control Baseline
6.5.1 Scale to Business Size, Type, and Industry
-
Governance: Combine the security steering committee function with an IT steering committee or even a single executive staff meeting for all administrative decisions.
-
Security policies and awareness: A single security policy document might suffice. However, detailed technical procedures should still be in separate documents.
-
Access management: Smaller organizations may not require formal access request, access review, and access revocation processes.
-
Only use two lines of defense (omit internal audit)
-
Prefer simplified cloud-based solutions for
-
Real-time threat detection
-
Logging and log review
-
User account monitoring
-
Backup and data recovery
-
And other controls
-
6.5.2 Align Control Deployment and Business Functions
Business Function | Control Domain Inter-Dependencies |
---|---|
Executive stakeholders | Security governance, risk management, security policy and awareness, incident response |
LOB executives, leaders | Security governance, risk management, security policy and awareness, asset inventory, third-party management, incident response, backup and data recovery, and business continuity. Many other control domains also tend to have inter-dependencies on LOBs in organizations with decentralized security governance. |
IT leaders or teams | Security governance, security policy and awareness, asset inventory, security zoning, authentication and user account management, access management and authorization, SCCM, data protection, vulnerability management, logging and log review, incident response, backup and data recovery, business continuity |
CTO and/or development leaders or teams | Security governance, security policy and awareness, asset inventory, security zoning, authentication and user account management, access management and authorization, SCCM, data protection, SDLC, vulnerability management, logging and log review, incident response, backup and data recovery, business continuity |
Business continuity team | Backup and data recovery, business continuity |
Compliance and audit | Risk management, security zoning, authentication and user account management, access management, SCCM, data protection, vulnerability management, logging and log review, incident response, business continuity |
Endpoint or mobile device management team | Security zoning, real-time threat detection |
Enterprise risk management | Risk management |
Facilities management | Physical security, business continuity |
Human resources | Secure HR practices, user account monitoring, incident response |
Internal marketing team | Security policy and awareness |
IT asset management | Asset inventory |
Legal team | Secure HR practices, logging and log review, user account monitoring, incident response, business continuity |
Network management team | Security zoning |
Procurement and/or vendor management | Third-party management, security zoning, access management and authorization, data protection, incident response, backup and data recovery |
Public relations | Incident response |
UAT team | Security policy and awareness |
6-4 | Identify the leaders for the various business functions as well as business or IT owners of critical assets. Assign informal relationship managers to them. For business functions with multiple control domain alignments, establish formal coordination forums or projects as the work content merits. |
6.6 Call to Action
-
Select which control frameworks to reference based on your business’s industry and compliance requirements.
-
Put a minimum viable control baseline in place.
-
Select granular controls from the 20 major control domains and the NIST CSF model control categories.
-
Prioritize the granular controls based on risk.
-
Build two or three lines of defense into the control architecture.
-
Work with the business’s third-party management organization to apply shared responsibility models or concepts to third-party relationships.
-
Tune control deployment style to the business’s risk, risk appetite, culture, and functional requirements for the protected assets.
-
Seek to achieve a “Defined” maturity level or better in each control domain.
-
Align control deployment with the leaders of the business functions involved with the controls as well as with owners of critical assets.
-
Scale control deployment to the business’s type, size, and compliance requirements.
-
Evaluate the current control baseline document(s) to see if they can be used as is or as a draft starting point.
-
Create an initial detailed outline for a new control baseline using a spreadsheet or a governance, risk, and compliance (GRC) tool. Populate the draft using information from the 20 security control domains.
-
Perform a control gap assessment against the control baseline and the list of top information risks. Depending on the size of the business, rapid or deep security assessments17 can be performed within a 30-, 60-, or 90-day period.