Photo by Markus Spiske on Unsplash
Photo by Markus Spiske on Unsplash

Tips to Build Robust Cyber Controls and Achieve Control Harmonization
by Raghuram Srinivas, Senior Vice President Product Management, MetricStream

Cyber risk and resilience are top challenges for businesses today. Decision makers agree that adopting the proper cyber framework and establishing solid controls to manage cyber risks and build cyber resilience is imperative. However, this is just the first step. The constantly changing cyber risk environment ensures that CISOs and security teams are always on edge. Without paying close attention to picking the right cyber controls and ensuring they harmonize across frameworks, achieving cyber resilience will remain elusive. 

Following are a few tips on how to implement and harmonize cyber controls. 

Pick the Right Cyber Framework

The first step is to pick the right cyber framework. How? Start by understanding how they are classified.

A cyber framework is a system of guidelines, standards, and best practices to manage risks emerging in the digital world. The aim is to enable IT/cyber risk and security managers with a reliable and organized way to identify, prioritize, and alleviate cyber risk, regardless of how complex the landscape is. 

These frameworks are classified into three categories – Control Frameworks (NIST 800-53, CIS Controls), Program Frameworks (ISO 27001, NIST, CSF), or Risk Frameworks (NIST 800-39 ISO 27005l FAIR). Of these, cyber risk management forms one dedicated category. 

Frameworks can also be classified by their applicability, like Mandatory Frameworks. These frameworks must be compulsorily implemented and complied with depending on the region or sector of operations. For example, GDPR is mandated for all companies operating in the EU region, and PIPEDA is required for private-sector companies operating in Canada. Optional Frameworks are frameworks that are provided as guidelines but are not necessarily mandatory (ISO 27001, CIS, FAIR).

Some frameworks may completely fit into one of the above categories, while others may have overlaps between the three categories. 

Even for seasoned cyber risk management professionals, this is a challenge. The best way to start is by determining these three aspects. First, in which regions are your conducting business? Second, what industry does your business address? Finally, what is the current maturity level of the cyber risk management program? Once a baseline framework is selected, specifics such as business objectives, potential threats, existing policies, treatment procedures, and budget resources should be considered to determine additional framework requirements. 

Pick the Right Set of Cyber Controls

Safeguards or countermeasures can better shield organizations from attacks, breaches, and threats. If done proactively, it may result in resource and cost savings. Controls can be categorized based on their type or nature and by the function they play. 

These are policies and procedures that offer structure and guidance to individuals. Based on types, they are classified as Administrative/Managerial Controls. Technical/Logical Controls restrict access to systems or data on hardware or software, such as encryption, fingerprint readers, authentication, and AuthCodes. Physical Controls reduce physical access to systems and act as offline barriers. Operational Controls involve people conducting processes daily, such as awareness training, asset classification, and scrutinizing log files.

Deterrents that prevent threats from attempting to exploit a vulnerability, such as policy punishments, law/order, and detective controls that alert deviations from the status quo, such as video surveillance, intrusion detection systems, and honeypots. They can also be classified based on functions such as Preventative Controls that avert or restrict certain activities or unauthorized system access and data altering. Corrective Controls aid in taking action from one state to another and include patching a system, quarantining a virus, or terminating a process. Recovery Controls assist in getting something back from a loss, such as recovering a hard drive.

The Final Step – Harmonizing Controls

It is clear from the above examples that security and risk teams must manage a host of controls across numerous frameworks. Since specific frameworks may prescribe almost identical controls, duplication, and errors in implementing and monitoring compliance are possible. On the other hand, some frameworks may also have conflicting controls. This can lead to confusion, making the overall management of security, risk, and compliance a formidable task. The best practice is to harmonize controls across various frameworks. 

To do this, organizations must develop a custom framework that organizes and eliminates duplicate controls. They need first to specify rules to extract mandates from various applicable frameworks. They would then need to map mandates from such frameworks to common controls and create new common controls where required. After this, they must calculate match accuracy when tagging mandates and map them to common controls. Finally, they need to set a standardized structure for auditing the implementation of the common controls. 

Leveraging a GRC solution to implement a ready-made common controls framework helps. It breaks down silos and simplifies and consolidates compliance and reporting activities. Ideally, using a GRC solution will complement creating a custom framework or implementing a common controls framework (CCF). 

Regulatory Reporting is expected to increase significantly in 2023. Organizations must stay updated on the proposed regulations while viewing them in conjunction with frameworks and standards to ensure compliance. Having the right cyber frameworks and harmonizing controls across those frameworks will go a long way in ensuring business resilience.

Author: Raghuram Srinivas, Senior Vice President Product Management, MetricStream
Author: Raghuram Srinivas, Senior Vice President Product Management, MetricStream