Hierarchical & Scalable Cybersecurity Documentation

Human nature is the mortal enemy of unclear documentation since people will not take the time to read something if it is unclear or difficult to navigate. An ignorant or ill-informed workforce entirely defeats the premise of having the documentation in the first place. Therefore, if the goal is to be “audit ready” with documentation, then having poorly-worded documentation is misguided, since excessive prose that explains concepts ad nauseam in paragraph after paragraph makes it very hard for the average employee to understand the exact requirements. That can lead to gaps in compliance from an ill-informed workforce who do not understand the organization's requirements.

Why Is Concise & Scalable Documentation Important?

An indicator of a well-run governance program is the implementation of hierarchical documentation, since governance is built on words. Beyond just using terminology properly, understanding the meaning of these concepts is crucial in being able to properly implement cybersecurity and privacy governance within an organization.

Understanding the hierarchy of cybersecurity documentation can lead to well-informed risk decisions, which influence technology purchases, staffing resources and management involvement. That is why it serves both cybersecurity and IT professionals well to understand the cybersecurity governance landscape for their benefit, since it is relatively easy to present issues of non-compliance in a compelling business context to get the resources you need to do your job.

Hierarchical Documentation Makes Sense

The Hierarchical Cybersecurity Governance Framework (HCGF) is a free reference for cybersecurity and privacy professionals that is backed up by authoritative definitions (e.g., NIST, ISO, ISACA, etc.). This premise of this model is to encourage clear communication by concisely defining cybersecurity and privacy documentation components, including mappings to demonstrate how those are linked. The HCGF identifies the primary documentation components that are necessary to demonstrate evidence of due diligence and due care.

This model visualizes the inter-connectivity of policies, control objectives, standards, guidelines, controls, assessment objectives, risks, threats, procedures & metrics. ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation in the following diagram to demonstrate the unique nature of these components, as well as the dependencies that exist:

Cybersecurity, IT professionals, privacy and legal professionals routinely abuse the terms “policy” and “standard” as if these words were synonymous, when they are not!

• Cybersecurity & data protection documentation needs to usable – it cannot just exist in isolation. This means the documentation needs to be written clearly, concisely and in a business-context language that users can understand. By doing so, users will be able to find the information they are looking for and that will lead to cybersecurity and privacy "best practices" being implemented throughout your organization.
• Additionally, having clearly-written and concise documentation can be “half the battle” when preparing for an audit, since it shows that effort went into the program and key requirements can be easily found.?

Hierarchical Cybersecurity Governance Framework

When it comes to cybersecurity compliance, words have specific meaning and it is important to get those terms correct. In reality, these cybersecurity documentation terms have quite different implications and those differences should be kept in mind since the use of improper terminology has cascading effects that can negatively impact the internal controls of an organization.

Put An End To Cybersecurity Documentation "Word Crimes"

Your cybersecurity & data protection documentation is meant to address the “who, what, when, how & why” across the strategic, operational and tactical needs of your organization. Taking a deeper dive into the HCGF swimlane diagram:

Internal & External Influencers

Hierarchical cybersecurity governance starts with external influencers – these establish what is considered necessary for due diligence and due care for cybersecurity operations. These include statutory requirements (laws), regulatory requirements (government regulations) and contractual requirements (legally-binding agreements) that organizations must address. External influencers usually impose meaningful penalties for non-compliance.?

• External Influencers?are often nonnegotiable and are the primary source for defining a need for a policy and provide scoping for control objectives and these influencers include statutory (laws), regulatory (regulations) and contractual obligations.?
• Internal Influencers?focus on management’s desire for consistent, efficient and effective operations and these influencers include other corporate policies, directives from the Board of Director guidance and other internal drivers (e.g., business strategy, budget constraints, quality targets, etc.).

Policies

Policies are high-level statements of management intent from an organization’s executive leadership that are designed to influence decisions and guide the organization to achieve the desired outcomes. Policies are enforced by standards and further implemented by procedures to establish actionable and accountable requirements.

Policies are a business decision, not a technical one. Technology?determines how policies are implemented. Policies usually exist to satisfy an external requirement (e.g., law, regulation and/or contract).

Control Objectives

Control Objectives are targets or desired conditions to be met. These are statements describing what is to be achieved as a result of the organization implementing a control, which is what a Standard is intended to address.

Where applicable, Control Objectives are directly linked to an industry-recognized secure practice to align cybersecurity and privacy with accepted practices. The intent is to establish sufficient evidence of due diligence and due care to withstand scrutiny.

Standards

Standards are mandatory requirements regarding processes, actions and configurations that are designed to satisfy Control Objectives. Standards are intended to be granular and prescriptive to ensure systems, applications and processes are designed and operated to include appropriate cybersecurity and privacy protections.

Guidelines / Supplemental Guidance

Guidelines are recommended practices that are based on industry-recognized secure practices. Guidelines help augment Standards when discretion is permissible. Unlike Standards, Guidelines allow users to apply discretion or leeway in their interpretation, implementation, or use..

Controls

Controls are technical, administrative or physical safeguards. Controls are the nexus used to manage risks through preventing, detecting?or lessening the ability of a particular threat from negatively impacting business processes. Controls directly map to standards, since control testing is designed to measure specific aspects of how standards are actually implemented.

The?Secure Controls Framework (SCF) ?fits into this model by providing the necessary cybersecurity and privacy controls an organization needs to implement to stay both secure and compliant.

Assessment Objectives (AOs)

AOs are a set of determination statements that express the desired outcome for the assessment of a Control. AOs are the authoritative source of guidance for assessing controls to generate evidence to support the assertion that the underlying Control has been satisfied.?

Procedures

Procedures are a documented set of steps necessary to perform a specific task or process in conformance with an applicable?standard. Procedures help address the question of how the organization actually operationalizes a policy, standard or control. Without?documented procedures, there can be defendable evidence of due care practices.

Procedures are generally the responsibility of the process owner / asset custodian to build and maintain but are expected to include stakeholder oversight to ensure applicable compliance requirements are addressed. The result of a procedure is intended to satisfy a specific control. Procedures are also commonly referred to as “control activities.”

Risks

Risks represent a situation where someone or something valued is exposed to danger, harm or loss (noun) or to expose someone or something valued to danger, harm or loss (verb).

In practical terms, a risk is associated with a control deficiency (e.g., if the control fails, what risk(s) is the organization exposed to?).

Risk is often calculated by a formula of Threat x Vulnerability x Consequence in an attempt to quantify the potential magnitude of a risk instance occurring.

While it is not possible to have a totally risk-free environment, it may be possible to manage risk by:

• Avoiding
• Reducing;
• Transferring; or
• Accepting.

Threats

Threats represent a person or thing likely to cause damage or danger (noun) or to indicate impending damage or danger (verb).

In practical terms, a threat is a possible natural or man-made event that affects control execution. (e.g., if the threat materializes, will the control function as expected?)

Metrics

Metrics provide a “point in time” view of specific, discrete measurements, unlike trending and analytics that are derived by comparing a baseline of two or more measurements taken over a period of time. Analytics are generated from the analysis of metrics.

Analytics are designed to facilitate decision-making, evaluate performance and improve accountability through the collection, analysis and reporting of relevant performance related data (e.g., metrics).

Good metrics are those that are?SMART

(Specific,?Measurable,?Attainable,?Repeatable and?Time-dependent).

?

About The Author

If you have any questions about this, please feel free to reach out. You can reach the author at [email protected]. Tom Cornelius is the Senior Partner at?ComplianceForge , an industry leader in cybersecurity and privacy documentation. He is also the founder of the?Secure Controls Framework ?(SCF), a not-for-profit initiative to help companies identify and manage their cybersecurity and privacy requirements.