Executive Summary

The control framework described in this document is designed to establish a robust, sustainable, risk and security control framework that reduces risk, defines the security stance, and supports the organizational policy and directives.

Executive Support and authority (Governance) is required for the creation of all controls and control activities in the control framework. Governance is initially established through policy. The Control Policies establish Governance, define Executive intent, and provide Control Owners with direction for evaluation and monitoring of controls and the delegation of roles and responsibilities.

The controls in this framework are logically designed to address areas of IT risk that require secure, auditable, and sustainable control activities. These controls, and associated control activities, are required for IT operations that can introduce risk or increase risk potential due to either the complexity of the task, or the risk associated with the introduction of changes. For example, change management and patch management are areas that can introduce risk of a security breach, or result in unscheduled downtime if changes are unauthorized, untested, or unplanned.

The control framework achieves the following objectives:

1. Reduces IT risk through the integration of risk management practices with IT operations and Services.

2. Protects organizational information and data assets by integrating cybersecurity with all IT activities.

3. Establishes Governance over controls through:

   a. Executive support and authorization of Control policies that define controls and control activities.

   b. Executive authorization of IT standards that support controls and control activities.

   c. Identification and assignment of Control Owners for each Control, and Custodians for all control activities.

4. Continuous improvement through sustainability requiring regular reviews and reporting on effectiveness of control activities to Control Owners.

The framework will focus on the following controls: Risk Management, Security Management, Application Access, Change Management, Security Incident Handling and Response, Solution Acquisition and Development (DevSecOps), IT Disaster Recovery, Vulnerability Management, and Cybersecurity Awareness. The controls are not developed in a silo. Each control will require involvement of Subject Matter Experts (SMEs) from across IT including the Custodians, Service Owners, and Cybersecurity experts. This ensures that policy, standards, process and procedures are developed by experienced individuals, iteratively, and with consensus. The Control Framework is also designed so that new controls can be inserted into the framework as required and new control activities can be added to individual controls with minimal impact.

Executive Summary

1. Introduction - last Update : 25/01/2025
2. Control Framework - last Update : 25/01/2025
3. IT Controls - last update : 25/01/2025 3.1 Control Activities
4. Governance
5. Compliance 5.1 Sustainability 5.2 Control Automation 6.Control List 6.1 Potential controls 6.2 Control Risks
6. Control Framework Summary Appendix A – Control description Application Access Control Appendix B – Barriers to Compliance Appendix C – Control Maturity Appendix D – Policy, Control Objective, Standard, Procedure and Guidelines... Appendix E - Control Prioritization Appendix F – Periodic Review Template - Application

List of Figures

Figure 1 Control Framework Figure 2 NIST CSF Framework Functions Figure 3 Policy Standards Controls and Procedures (ref: Compliance Forge) Figure 4 Policy to Guideline Pyramid (ref: Compliance Forge)

1. Introduction

The Cybersecurity Control Framework integrates Policy, Standards, Risk and Procedures into a single structure and provides the building blocks for establishing a risk and security management program across all organizational IT operations. This document introduces general computing controls and a comprehensive set of risk based controls designed to support the implementation of a cost-effective risk and security management program. The Control framework provides the structure for achieving compliance in a logical manner and documents appropriate levels of governance for all control activities. Figure 1 Control Framework

Policy provides the high level statements of management intent that are intended to provide direction and achieve desired outcomes of the business and executive. A set of directives should be created to establish the IT risk and security stance of an organization. Directives are what drive the need for, and creation of a control framework.

The Control Policies reinforce directives, establish governance, and ensure that risk and security is built into all IT controls. The policies are high level and define control objectives that address risk and security concerns associated with IT activities. Proactively addressing risk is the main reason for the control framework and to do this effectively means that governance, executive support and authorization for the controls must be established.

Control objectives are the statements describing the purpose of the control and ultimately the risk that is being addressed. It is the control objectives that define the requirements for specific technical standards, and the process and procedures to implement the standards.

This Control Framework aligns with the National Institute of Standards and Technology, Cybersecurity Framework (NIST CSF), which has five key functions; Identify, Protect, Detect, Respond and Recover. These

five functions provide a comprehensive view of the lifecycle for managing cybersecurity, over time.

There are two or more of these NIST functions identified for each control activity. NIST defines the five

key functions as:

 Identify – Develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

 Protect – Develop and implement appropriate safeguards to ensure delivery of services.

 Detect – Develop and implement the appropriate activities to identify the occurrence of a Cybersecurity event.

 Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

 Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

All controls must have the NIST identify function which establishes the following:

1. Governance for control activities.
2. Assessing and Managing Risk.
3. Understanding of organizational assets.
4. Cybersecurity roles and responsibilities.

Figure 2 NIST CSF Framework Functions

All controls require one or more of the Protect, Detect, Respond and Recover functions, depending on the control focus. The controls are logically designed to address areas of risk requiring secure, repeatable, and sustainable control activities. These controls and associated control activities are needed for IT operations; Especially IT operational activities that introduce risk or increase risk potential due to either the complexity of the task, or the risk associated with the introduction of changes. For example, change management, patch management, and application access are all areas that introduce risk of a security breach, or downtime through unauthorized or unplanned change activities and therefore these are areas focused on by Risk and Security professionals, and Auditors.

2. Control Framework

The Control Framework is the hierarchical structure used to categorize and organize controls by areas of risk in IT Operations, Services, and tasks. The framework establishes due diligence and provides evidence of due care in addressing IT Risk and Cybersecurity.

1. The Control framework defines areas of risk and logically assigns controls that are designed to treat risk through documented control objectives, control activities, roles and responsibilities.

2. The Control Framework establishes governance1 for control activities through executive authorized policy instruments. These documents provide executive support and authority for all control activities.

3. The Control Policy instruments provide the Executive with the mechanism used to establish intent and to direct2 activities associated with IT operations.

4. Controls in the framework are designed to achieve cybersecurity compliance across all IT operations.

5. The Control framework helps to integrate security into all IT operations.

6. All controls are sustainable and provide the executive (Control Owners and Executive) a mechanism to monitor and evaluate control activity.

1. The Control title column provides the title for the control in the framework. For example,Change Management, Application Access, and Disaster Recovery.

2. The Risk statement defines the risk associated with the lack of policy, standards, process and procedures, and is what establishes the need for the control.

3. The Control number is for easy reference, which should identify the control and control activity.

4. Control activities provides a brief description of each of the control activities that will achieve control objectives.

5. The final 5 columns establish the relation between controls and the NIST Cybersecurity Framework (CSF). There are five NIST CSF functions and each control activity aligns with one or more of these functions.

     1 IT Governance helps an organization achieve desired behaviors and outcomes and stakeholder value. 
     2 CoBIT clearly separates Governance and Management. Evaluate, Direct and Monitor (EDM) are the governance. activities associated with Controls. Governance is not management.
   

3. IT Controls

An effective and auditable IT control consists of more than a policy or standard statement or a process and procedure. It requires that roles and responsibilities, as well as accountability, be defined at all levels of control activity. The control is designed to be sustainable by the people that implement it through process and procedures.

The control therefore has, and requires, governance and sustainability to be built into each control. This is accomplished by establishing roles and responsibilities for each control activity. The Owner is accountable for the control and regularly reports on control effectiveness. The Controller is responsible for process, and ensuring that the control process and procedures are effective and function as designed. The Custodian is responsible for creation and maintenance of procedures that implement the control and for performing reviews of their control activities.Each Control in the framework consists of the following elements, read from left to right: