Four interrelated terms used in cybersecurity are Policies, Procedures, Standards, Guidelines, and Controls.
Policies are at the top, Standards and Guidelines add detail to policies, Controls are the measured outcome of standards in use, and Procedures are how those controls are implemented.
Specifically, ISO 27001 is the broad international set of information security standards and is composed of 114 specific security controls.
The Cloud Controls Matrix, from the Cloud Security Alliance, is a set of standards and controls aimed directly at cloud technologies and developed by a third-party organization.
Controls are, in effect, specific cases and directives that can be defined and implemented to achieve a standard.
The most common controls framework most of our readers will experience comes from NIST. There are two different groups you may encounter.
NIST SP 800-53 is the general list of security and privacy controls for organizations.
This is the set of cybersecurity controls for protecting CUI, or Controlled Unclassified Information.
This includes a set of controls that overlap somewhat, with categories like access control and configuration management, but also has unique controls such as physical and environmental protection.
Some controls are the same or overlap; others are unique.
NIST SP 800-63B is a special publication with standards and controls for passwords and authentication best practices.
Controls can also be broader or more narrow depending on their station in the set of control families.
Controls can be complex and form a specific set of guidelines to be implemented, which leaves us with just one more term to discuss.
Controls are specific technical specifications and processes that must be implemented in order to adhere to standards.
A control outlines what you need to achieve, and a procedure is the specific set of steps necessary to adhere to that control.
If a policy is a destination, a standard is a route to reach that destination; a control is the turn-by-turn directions, and a procedure is how to drive that route.
You have to document which controls and which standards apply to you, which parts of your organization they apply to, which individuals in your organization are the people responsible for ensuring implementation, and what procedures are used to perform that implementation.
These frameworks also typically include requirements to document auditing and verification of adherence to these controls and standards via procedures.
While all of this is vastly complex, a pyramid made up of hundreds of specific controls and the thousands of procedures that implement them, there are many ways you can make things easier for your organization.
In these cases, you need a dedicated platform on your side to accumulate, aggregate, and monitor all of your standards, their associated controls, and the procedures you've put in place.
This Cyber News was published on securityboulevard.com. Publication date: Fri, 26 Jan 2024 23:13:03 +0000