Link to home
Start Free TrialLog in
Avatar of Mark
Mark

asked on

Security controls mapping

Hello,

We just started working on our compliance program and I am looking to create a process for continuous mapping of the security controls and systems.

I am looking for an example process or a feedback on what would be a good start. We would like to start simple and then expand down the road.

Thanks!
Avatar of btan
btan
NIST Cybersecurity framework looks good for you as starter and it is a well accepted benchmark that organisation (big or small) adopts. They are not all tall order but are good reminder on the baseline hygiene that we must not neglect. It serves more than just compliance which you may go first to start simple, and there after preach on security by design and defence in depth principle to move through a maturity ladder. That helps the management visualise where they are and where they should be moving and ultimately where they can end, and start another security journey,. Key is to have a security plan to bring the engagement further than just compliance with policies. Build the tactical, strategic and operational aspects in the security programme

CSF
- main https://www.nist.gov/cyberframework
- (pdf) https://doi.org/10.6028/NIST.CSWP.04162018
An organization can use the Framework as a key part of its systematic process for identifying,
assessing, and managing cybersecurity risk. The Framework is not designed to replace existing
processes; an organization can use its current process and overlay it onto the Framework to
determine gaps in its current cybersecurity risk approach and develop a roadmap to
improvement. Using the Framework as a cybersecurity risk management tool, an organization
can determine activities that are most important to critical service delivery and prioritize
expenditures to maximize the impact of the investment.

The Framework is designed to complement existing business and cybersecurity operations. It can
serve as the foundation for a new cybersecurity program or a mechanism for improving an
existing program. The Framework provides a means of expressing cybersecurity requirements to
business partners and customers and can help identify gaps in an organization’s cybersecurity
practices. It also provides a general set of considerations and processes for considering privacy
and civil liberties implications in the context of a cybersecurity program.

The Framework can be applied throughout the life cycle phases of plan, design, build/buy,
deploy, operate, and decommission. The plan phase begins the cycle of any system and lays the
groundwork for everything that follows.


Making The RIGHT Security
- https://www.experts-exchange.com/articles/31709/Making-The-RIGHT-Security.html
What is a good security plan
- https://www.experts-exchange.com/articles/17367/What-is-a-good-Security-Action-Plan.html
Doing Right Security - Compliance by Design or Security by Design?
- https://www.experts-exchange.com/articles/15679/Doing-Right-Security-Compliance-by-Design-or-Security-by-Design.html
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.