Hot Topics
Security Bloggers Network 
SBN

Implementing a Common Controls Framework using Hyperproof

by Aidan Collins on December 23, 2020

What is a CCF?

A Common Controls Framework (CCF) is a comprehensive set of control requirements, aggregated, correlated and rationalized from the vast array of industry information security and privacy standards. Utilizing a CCF enables an organization to meet the requirements of these security, privacy, and other compliance programs while minimizing the risk of becoming “over controlled”.  

Why a CCF approach makes sense

Implementing a common controls framework that is focused on the unique security of your organization is an effective way to reduce the operational disruption of your organization. Focusing on security first and mapping your security-focused controls to compliance frameworks will help you comply with several security certifications, standards and regulations. Most frameworks have the same underlying security principles with minor differences in how you produce evidence and how your auditors evaluate your environment.

A common controls framework helps guide you and your auditors through existing compliance assessments. This central framework can also help you more easily identify any gaps with other frameworks that you may explore in the future. You can perform an analysis of your current control set against existing standards and avoid auditor fees for readiness assessments. This common framework helps you see your current state more accurately and allows you to easily adapt and expand into different security certifications and requirements.

What does SCF provide?

The Secure Controls Framework (SCF), which is the basis for the compliance framework crosswalks within Hyperproof, is a comprehensive catalog of controls that enables companies to design, build, and maintain secure processes, systems, and applications. The SCF addresses both cybersecurity and privacy so that these principles are “baked in” at the strategic, operational, and tactical levels. 

The SCF comprises thirty-two (32) domains that cover the high-level topics expected to be addressed by cybersecurity and privacy-related statutory, regulatory, and contractual obligations. These are the cybersecurity and privacy-related policies, standards, procedures, and other processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented as much as possible, detected, and corrected.

The SCF aims to provide cybersecurity and privacy control guidelines to organizations of any size and across any sector, helping them to implement best-practice controls to protect their data and processes and respond to evolving threats. The framework currently incorporates over 850 controls, is baselined across more than 150 regulations and standards, and is updated every few months.

Benefits to an organization of using a CCF based on the SCF

The SCF is designed to empower organizations to design, implement, and manage both cybersecurity and privacy principles to address strategic, operational and tactical guidance. It is far more than building for compliance — we know that if you build security and privacy principles into your daily operations, complying with statutory, regulatory, and contractual obligations will come naturally.  

There are many benefits to an organization adopting a CCF based on the SCF:

  • By using a well-established baseline set of control requirements and associated controls, it allows the organization to get a headstart on optimizing the controls environment.
  • The SCF is updated frequently thus ensuring the organization remains aware of any changes to the compliance frameworks in use.
  • By leveraging a common control to meet multiple compliance requirements, an organization can be expected to  gain efficiencies in performing its current audit engagements, including SOX 404-ITGC, PCI-DSS, etc. Using the crosswalks provided by SCF, additional compliance frameworks can be assessed quickly and a more rapid implementation plan can be developed using the controls already in place.
  • Compliance fatigue should be reduced for the organization’s audit control owners and partners.  Currently, these individuals are often subjected to multiple audit requests that can often be met by the same audit evidence.
  • It provides a holistic view of the organization’s control environment as the CCF traverses the audit and compliance lines of SOX and PCI audit engagements.
  • The organization will have the ability to benchmark their control environment and identify its maturity model against other organizations. 
  • The organization can begin evaluating controls to identify suitable candidates for automation.
  • It can help the organization develop a consistent approach to performing and documenting controls across the organization and potential acquisitions. 
  • If acquisitions need to be integrated into the organization environment, a CCF provides ease of on-boarding and enables these acquisitions to come into compliance more quickly. A CCF enables the new acquisitions to inherit the existing simple and  scalable controls to reduce the overall effort to meet compliance goals.  

How to implement and manage a CCF with Hyperproof

Out of the box, Hyperproof provides a set of illustrative controls for many of the most commonly used security and privacy compliance frameworks, including NIST-CSF, PCI-DSS, ISO 27001, and many others. These controls are linked to program requirements providing a quick start approach for many organizations.  

For organizations who already have existing controls in place, it’s quite simple to edit the provided controls, add new controls, and remove superfluous ones. As requirements across frameworks are linked within the SCF model, all changes to controls will still map across frameworks, significantly reducing the risk of duplicate controls.

Within Hyperproof, all controls are defined once…

The control dashboard for Hyperproof, to use for common control frameworks.

…and are linked to multiple requirements across multiple frameworks.

A Hyperproof control in NIST, to use for common control frameworks.

As changes are made to the details of controls, or new framework requirements are added, the application includes an option to select which controls should be linked to new requirements  from suggestions based on the provided crosswalks.

Linking additional controls to a program in Hyperproof, used for common control frameworks.

Additionally, as new frameworks are assessed and eventually operationalized, the “Jumpstart” feature provides a quick view into how the existing control environment meets the requirements of these new frameworks.

The program dashboard in Hyperproof, used for common control frameworks.

Hyperproof also quickly shows how “efficient” the control environment is by highlighting which controls are linked to more than one program requirement. This can help focus analyst efforts on increasing the percentage of controls that meet multiple requirements.

The dashboard can easily show controls with more than one link.

The dashboard reporting features of Hyperproof allow the organization to quickly see the compliance status against the requirements of a single compliance framework…

Hyperproof's dashboard for PCI showing a common control framework.

…as well as across all the frameworks currently operationalized across the organization.

Hyperproof's dashboard that shows all framework's status on one page.

Learn more about how to implement a Common Control Framework using Hyperproof.

sign up for a personalized demo ›

The post Implementing a Common Controls Framework using Hyperproof appeared first on Hyperproof.

*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Aidan Collins. Read the original post at: https://hyperproof.io/resource/common-controls-framework/

Aidan Collins ,

Secure Guardrails