Identify Control Assessment Processes and Procedures
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hello again and welcome to
00:00
the HCISPP certification course with Cybrary.
00:00
Identify control assessment process and procedures.
00:00
My name is Shalane Hutchins,
00:00
>> and I'll be your instructor today.
00:00
>> In this module, we will cover
00:00
assessment procedure requirements
00:00
>> and framework mapping.
00:00
>> To aid in ensuring
00:00
security and privacy requirements are met,
00:00
many organizations adopt control frameworks
00:00
to provide a governance program that is consistent,
00:00
measurable, standardized, comprehensive, and modular.
00:00
Let's review each requirement.
00:00
A governance program must
00:00
be consistent in how information,
00:00
security, and privacy is approached and applied.
00:00
If two similar situations or
00:00
request results in different outcomes,
00:00
stakeholders will lose faith in
00:00
the integrity of the program and its usefulness.
00:00
In many larger organizations
00:00
with multiple business units,
00:00
it is sometimes challenging to promote
00:00
a consistent risk management
00:00
>> process across multiple BUs.
00:00
>> Communication must be consistent and
00:00
the process must be explicitly defined.
00:00
It takes a team of people to
00:00
ensure that everyone is on the same page.
00:00
Additionally,
00:00
some program management organizations could
00:00
assist the risk management function
00:00
in getting this accomplished.
00:00
The governance program must provide a way to
00:00
determine progress and set goals.
00:00
Organizations who implement frameworks
00:00
that can be measured are
00:00
more likely to improve their
00:00
>> security posture over time.
00:00
>> Most control frameworks contain
00:00
>> an assessment standard or
00:00
>> procedure to determine compliance
00:00
and in some cases, risk as well.
00:00
One way to measure progress is to maintain
00:00
metrics on the results
00:00
of risk assessments that are performed.
00:00
How many corrective actions or
00:00
remediation plans have been
00:00
completed for the different control areas?
00:00
As activities are completed,
00:00
the risk posture shifts and changes.
00:00
As trends develop,
00:00
they can be utilized to help
00:00
strategic leaders make more informed decisions.
00:00
As with measurable above,
00:00
a controls framework should rely on standardization
00:00
so results from one organization or part of
00:00
an organization can be compared in a meaningful way.
00:00
If risk assessments aren't standardized,
00:00
there's no meaningful way to
00:00
communicate to leaders across
00:00
an organization how their risks are related,
00:00
and how accepting a risk in one area could potentially
00:00
cause harm or create a vulnerability in another area.
00:00
The selected framework should cover
00:00
the minimum legal and regulatory requirements of
00:00
an organization and be extensible to
00:00
accommodate additional
00:00
organization-specific requirements.
00:00
Working with the legal and compliance functions
00:00
of an organization can support in ensuring
00:00
the proper legal and regulatory requirements are built
00:00
into the risk management and risk assessment process.
00:00
A modular framework is
00:00
more likely to withstand the changes
00:00
of an organization as only the controls or
00:00
requirements meeting
00:00
modification are reviewed and updated.
00:00
An example of a control framework is
00:00
the NIST SP 800-53 Revision 4.
00:00
This is a controls framework of
00:00
over 250 controls in 18 categories or families.
00:00
The framework includes the ability to scope and tailor
00:00
controls to an organization's specific mission
00:00
or requirements and is mandatory to be
00:00
used for US federal agencies and their contractors.
00:00
Like NIST SP 800-53,
00:00
ISO 27001 is designed
00:00
to cover organizations of all sizes and types.
00:00
The annex a of ISO 27001 contains
00:00
the controls framework with
00:00
objectives and specifics about each control.
00:00
Now as you remember we discussed in a previous module,
00:00
ISO is a global framework that's been
00:00
adopted by numerous industries in most countries.
00:00
Frameworks often map to each other.
00:00
For example, NIST 800-53
00:00
has been mapped to the ISO 27001 standard.
00:00
While there is considerable overlap,
00:00
there are some areas that are not an exact fit.
00:00
The following chart is
00:00
just a sample of control framework comparison.
00:00
Let's do a knowledge check.
00:00
When similar situations have different outcomes,
00:00
that means the assessment process is not what?
00:00
[MUSIC] Consistent.
00:00
Correct. Next. True or false:
00:00
A framework that is
00:00
measurable improve the security posture over time.
00:00
[MUSIC] That answer is true. One more.
00:00
True or false: A fixed framework is
00:00
more likely to withstand changes of an organization.
00:00
[MUSIC] That answer is false.
00:00
The correct answer is that
00:00
a modular framework will
00:00
withstand changes of an organization.
00:00
Today we covered assessment procedure requirements
00:00
and framework mapping.
00:00
Stay tuned for the next video.
Up Next
