Hello again and welcome to the Hcs PP certification course with Sai Buri. Identify control, assessment process and procedures.
My name is Charlene Hutchins and I'll be your instructor today
in this module, we will cover assessment procedure requirements and framework mapping
to aid and ensuring security and privacy requirements are met. Many organizations adapt control frameworks to provide a governance program that is consistent, measurable, standardized, comprehensive and modular.
Let's review each requirement.
The government's programme must be consistent in how information, security and privacy is approached and apply.
If two similar situations or request result in different outcomes, stakeholders will lose faith in the integrity of the program and its usefulness
and many larger organizations with multiple business units. It is sometimes challenging to promote a consistent risk management process across multiple be used
communication must be consistent and the process must be explicitly defined.
It takes a team of people to ensure that everyone is on the same page and additionally, some program management organizations could assist the risk management function and getting this accomplished,
the government's programme must provide a way to determine progress and set goals.
Organizations who implement frameworks that can be measured are more likely to improve their security posture over time.
Most control frameworks contain an assessment standard or procedure to determine compliance and in some cases, risk as well.
One way to measure progress is to maintain metrics on the results of risk assessments that are performed.
How many corrective actions were remediation? Plans have been completed for the different control areas,
and as activities air completed, the risk posture shifts and changes.
As trends developed, they could be utilized to help strategic leaders make more informed decisions.
As with measurable above, ah controls framework should rely on standardization, so results from one organisation or part of an organization can be compared in a meaningful way.
If risk assessments aren't standardize, there's no meaningful way to communicate to leaders across an organization, how their risks are related and how accepting a risk and one area could potentially cause harm or create a vulnerability in another area.
A selective framework should cover the minimum legal and regulatory requirements of an organization and be extensible to accommodate additional organization specific requirements.
Working with the legal and compliance functions of an organization can support in ensuring the proper legal regulatory requirements are built into the risk management and risk assessment process.
A modular framework is more likely to withstand the changes of an organization as Onley, the controls or requirements needing modification are reviewed and updated.
An example of a control framework is the NIST SP 853. Revision for
this is the controls framework of over 250 controls in 18 categories or families.
The framework includes the ability to scope and Taylor controls toe on organizations, specific mission or requirements and is mandatory to be used for US federal agencies and their contractors
like this. A SP 853 Isil 27,001 is designed to cover organizations of all sizes and types.
The Annex A of Isil 27,001 contains the controls framework with objectives and specifics about each control.
Now, as you remember, we discussed in a previous module, Isil is a global framework that's been adapted by numerous industries. In most countries,
frameworks often map to each other. For example, missed 853 has been mapped to the Isil 27,001 standard.
While there is considerable overlap, there are some areas that are not an exact fit
the following chart is just a sample of control framework comparisons.
Let's still knowledge check
when similar situations have different outcomes.
That means the assessment process is not what
true or false. A framework that is measurable improves the security posture over time.
That answer is true.
affect framework is more likely to look. Saying Changes oven organization
that that answer is false. The correct answer is that a modular framework will withstand changes of, um, organization.
So today be covered assessment, procedure requirements and framework mapping. Stay tuned for the next video.