Control Freaks! Everything you wanted to know about…

Written By John Paul Tran

…compliance obligations - regulations, standards, controls, internal controls & more…

Part One: Obligations and how to apply them

Video: See C1Risk’s Global Obligations Library here

In the world of security, we are all control freaks. However, it’s easy to get confused about what a control is, how to create a control, and, well, even the term itself can lead to some confusion even among the experts (shhhh!). 

Further, when you enter the wonderful world of controls, you can quickly get overwhelmed. At C1Risk, we talk about People Process and Technology often. These “three little words” are the keys to success with those other (dreaded) three little words - Governance, Risk and Compliance

This series of articles and videos (all linked) will help you understand how to build out your PPT to effectively maintain your compliance and sustain a program of Continuous Security, which as we will endeavor to explain, is really your ultimate goal whether you’re implementing the “G”, the “R”, or the “C”.

External Controls or Requirements or Standards or Obligations or Regulations

First, when you hear the word “control” what does it mean? The term control is often used in relation to three, though more often two functions of information security. 

1. Obligations - Regulatory, Standard, Certification - (Requirements)

Almost all business, regardless of industry, is subject to either regulatory or governing controls from a standard or organization, the separation being, of course, that regulations laid down by Federal or State governing bodies, where Standards are governed by Institutions. Both can be mandatory from a compliance perspective.  Some standards are simply guidelines or best practices that are not legally required, but often become a requirement for security programs to demonstrate effectiveness. 

Due to their separate provenance, they are often framed under the terms “obligation” or “requirement”*, though this latter term is usually reserved for the subset of controls inside an obligation, standard or regulation. 

Indeed, many of these obligations also carry hundreds, sometimes thousands of “Control Requirements”, and regulatory oversight grows more complex and stringent year over year. The “trick” with your obligations is to know how to apply them. 

2. Internal Controls 

Internal Controls refer to the controls a company establishes and implements, either to meet a control requirement or to protect the organization from a risk.  The reference your policies and the Obligations that regulate you and/or standards you follow to maintain a security certification.3ff3f3f

At C1Risk, we always talk about maintaining Certifications, not simply achieving them

There are three primary types of internal controls:

  1. Administrative -> Policies & procedures

  2. Technical -> Encryption, anti-virus software, vulnerability scanners, identity/authentication systems, etc.

  3. Physical -> Doors, Locks, Gates/fences, badge readers, cameras, etc.

External auditors evaluate your controls as part of your auditing process. This evaluation will include the manner of implementation or effectiveness of each control and the assurance level, or validating that the control is implemented, usually via some form of evidence request. So, internal controls are important for many reasons.

See how the C1Risk platform guides your internal control creation and implementation on the C1Risk Platform

Obligation Application - Scope & Applicability

Before you leap into Regulatory Compliance or a Certification like SOC 2, CMMC or ISO 27001, understanding the scope and applicability of the controls will help you to streamline the effectiveness of your compliance program.

  • Knowing “which“ Control Requirements within an Obligation will also save you critical resources. 

  • What do I have to do? What do I need to do? What don’t I need to do? 

  • Scope

SOC 2 Certification can be limited to certain criteria among the five: Security, Availability, Confidentiality, Process Integrity, Privacy. Security is the only requirement for certification. Based on your business practice and security, or of course, what the client is asking for,  you can then choose what else to cover in your SOC Certification. 

Generally, your scope is defined by your risk management. More about that below.

Applicability

A great practice to follow comes from the “international standard”, ISO 27001.  ISO requires a Statement of Applicability (SOA) and SOA report with your  justification for inclusion or exclusion of all controls. 

This is a great process to go through for all companies and not necessarily restricted to ISO Certification. It will help you both understand and prioritize your security and compliance needs whatever requirement you are undertaking. 

Lead with RISK!

The process of defining scope ‘applicability’, however, does not simply start with “list-making” in Compliance, but truly, this is where Risk Management becomes the leading engine in your process for continuous security.

From a regulatory perspective, you have requirements that you must meet as a company. Further, leadership or your clients, may require you to put in place a security system to protect the business. Simply put, this is your Governance, Risk and Compliance program in the making. It is G, then R, then C for a reason. The G and, predominantly, the R, should dictate your Compliance. So, before you leap into Internal Controls and control implementation, here are some interim steps to consider that will ultimately benefit you in the long term. 

Do this first:

  1. Know your Assets in scope and the value of each asset, so you know what to protect and which ones need the most protection. 

  2. Understand what type of risks you are facing and your company’s threshold for risk.

These are by no means simple, overnight steps to implement, butttttt… Remember! 

Compliance is an ongoing process and achievement. It’s not about getting the Certification or passing the Audit. It’s about maintaining the strength, effectiveness of the business and protecting your people, processes and technology from failure.  

About Us...

C1Risk offers subscription-based Software and Support Services that are specifically designed for small to mid-size organizations.

Any size business can now take advantage of our subscription service to provide affordable access to cybersecurity management. 

When you subscribe to the C1Risk platform, you can build a risk-first cybersecurity program; track and value your assets, identify your risks, build your governance and compliance requirements and manage any issues or incidents in real-time on our fully automated, Rest API integrated platform.

John Paul Tran
Previous

Control Freaks! SOA Internal Control - Risk Register. Who’s on first?
Next

Certified? Congratulations! Now What?