preview

Why Security Controls Is Important Than Which Controls You Put On A Compliance Checklist

Better Essays
Introduction
Where to put security controls and how to design them is more important than which controls you put on a compliance checklist. Identifying and prioritizing key security controls, however, is part art and part science.
By defining key controls based on cyber risks (translated into business risks), an organization can more easily right-size the its control set and adapt it to their needs. Information Security risk assessment processes that are near real-time, gated by a change control process, provide continuous feedback on the sufficiency of the controls within an organization.
Cyber Risk: Any information technology risk attributable to a malicious external actor. The means of attack may be opportunistic or targeted. It
…show more content…
In addition, many traditional approaches to security risk management leave security practitioners describing risks as missing controls. This is due to their sole reliance on controls frameworks as a manner of baselining mitigating controls.
Also, a compliance-based controls approach tends to be narrowly scoped and relevant for only a certain type of information, such as protected health information (PHI) or credit card account numbers (PCI). Cyber threats change daily, and solely relying on compliance frameworks will leave critical assets vulnerable to attack.

ISO 31000 Risk Management Standard
ISO 31000 describes a framework for implementing risk management. As ISO 31000 depicts, it’s essential to manage your cybersecurity program within a continually improving risk management oversight wrapper.
ISO 31000:2009 - Framework for Managing Risk Make information security risk management an integral part of your organization’s management cadence. Emphasize the need to communicate and consult with both external and internal stakeholders, while continuously monitoring and reviewing your organization’s risks (including linkage with Security Operations Center playbooks and CSIRT response scenarios).
The Art of Cyber Risk Prioritization
Controls everywhere isn’t pragmatic – and this approach would be too expensive! However, Board of Directors are looking for evidence that cyber security risks are being proactively identified and addressed. The National Association of
Get Access