What are IT and Cyber Controls and How to Achieve Control Harmonization?
- IT Risk & Cyber Risk
- 25 January 23
Introduction
In our previous post on this series, What are Cyber Frameworks and How Should You Choose the Right One?, we walked through understanding IT/cyber frameworks and how they are used to manage IT & cyber risks. In this second part, we will review IT/cyber controls, choosing them effectively and harmonizing them across frameworks.
What are Controls?
Controls can be defined as safeguards, mechanisms, or countermeasures, implemented by organizations, to avoid, detect, counteract, or minimize security risks (threats/attacks) to protect the confidentiality, integrity, and availability of data and information assets.
Implementing the right set of controls can better protect the organization from attacks, breaches, and threats, and if done intelligently, may result in resource and cost savings.
Types of Controls
Controls can be segregated by their type/nature and by the specific function they play.
| Types | Functions |
|---|---|
| Administrative/Managerial Controls are policies and procedures that provide structure and guidance to individuals | Preventative Controls prevent/restrict certain activities, such as unauthorized system access, data altering |
| Physical Controls limit the physical access to systems and act as offline barriers | Detective Controls alert deviations from the status quo, such as video surveillance, intrusion detection systems, honeypots |
| Technical/Logical Controls limit access to systems or data on a hardware or software basis, such as encryption, fingerprint readers, authentication, AuthCodes | Deterrents are controls that discourage threats from attempting to exploit a vulnerability, such as policy punishments, law/order |
| Operational Controls involve people conducting processes on a day-to-day level, such as awareness training, asset classification, reviewing log files | Corrective Controls help take an action from one state to another, such as patching a system, quarantining a virus, terminating a process |
| Recovery Controls help get something back from a loss, such as the recovery of a hard drive | |
Controls types and functions can overlap as well as we can see from the examples below:
- To implement appropriate risk controls, an organization might implement administrative and preventive controls together. This can be done by defining and rolling out an asset usage policy (preventive) along with regular security awareness training (administrative).
- To implement appropriate security controls, an organization might implement technical and detective controls together. This can be done by installing an antivirus tool (detective) along with an intrusion detection system (technical).
- To implement appropriate access controls, an organization might implement physical and technical controls together. This can be done by restricting access to premises through guards and access control systems (physical) along with two-factor authentication to use any IT systems (technical).
There can be numerous combinations of control types and functions. Many are provided for across the various frameworks, and yet more can be conceptualized and implemented by organizations themselves.
How Can Controls be Harmonized?
As we can infer from the above, organizations and specifically security and risk teams need to deal with hundreds of controls across multiple frameworks. With certain frameworks prescribing near identical controls, this can lead to duplication and possibly errors, in implementing and monitoring compliance. Certain frameworks may have conflicting controls. This can cause confusion and makes the collective management of security, risk, and compliance a Herculean task. The best practice is to harmonize controls across various frameworks.
In essence, harmonizing controls follows the principle of “ask once, answer many”. Instead of asking multiple teams, multiple times, simplify the process. The goal is to group same or similar controls/requirements across frameworks together, run tests, and complete compliance through a single instance, and then update the status for all such controls/requirements, collectively with a single action.
A common example of this would be the requirement to change user passwords every 90 days. This is a control prescribed by NIST 800-63b and ISO 27001, among others. In this case, the test or compliance would be carried out once, but the updating and reporting would need to be done twice, if not more.
Another common example is the need to perform risk assessments prescribed by any intermediate maturity framework. If there is no variation in the assessment scope, the assessment can be carried out only once and then updated once as well, instead of multiple, disparate updates.
Controls can be harmonized in the following ways:
- Creating a custom framework that collates and eliminates duplicate controls. According to UCF, the best way to do this would be to
- Extract Mandates: Define rules to extract mandates from various applicable frameworks.
- Map Mandates to Common Controls: Map mandates from such frameworks to common controls and when necessary create new common controls.
- Report Mapping Accuracy: Calculate the percent of match accuracy when tagging mandates and mapping them to common controls.
- Standardize Audits: Leverage a standardized structure for auditing the implementation of the common controls.
- Implementing a ready-made common controls framework
- Using a GRC solution that includes control harmonization
[To learn more about using a common controls framework, download our eBook, Simplify and Accelerate Your IT Compliance by Leveraging a Common Controls Framework.]
Ideally using a GRC solution will be complementary to creating a custom framework or implementing a common controls framework (CCF), as it breaks down silos and simplifies and consolidates the compliance and reporting activities.
MetricStream’s CyberGRC, IT Risk, and IT Compliance products come with built-in features for populating and harmonizing controls across over 100+ different cyber frameworks. To learn more, please click here to schedule a personalized demo.
On a different but connected note, at MetricStream, we anticipate Regulatory Reporting to increase significantly as a top cyber risk trend in 2023. To ensure compliance, organizations must assume the responsibility of being updated on the proposed regulations and viewing them in conjunction with frameworks and standards. Harmonizing controls as explained here, can be an essential and beneficial activity for organizations to tackle this challenge.
Check out 2023’s other Top Cyber Risk Trends. Download our eBook now.
