Skip to main content

7. Define Control Properties

CSFaaS encourages you to classify your controls by defining their attributes again based on the international standards.

Access the Control Properties Panel

To define your control properties you need to open the control properties panel:

  • Navigate to the Policy section.

  • Locate and open the Policy where you want to add or update a control.

  • Find and open the relevant Category or Subcategory.

  • Click on the Setting icon:

    Control_settings-2.png

A drawer will appear, allowing you to edit and customise your control properties as needed.


Define or Update the Control Profile

To define or update the control profile:

  • In the Control properties drawer, navigate to the “Control Profile” section.

  • Navigate to the “Control Definition” section.

    Control_Profile-3.png

  • Edit the necessary data:

    • Control Code: Update the unique identifier for the control.
    • Control Name: Modify the name to accurately reflect the control's purpose.
    • Control Definition: Provide or update a detailed description of the control.

Define the Control Periodicity review

Regularly reviewing the periodicity of security controls is essential to ensure they remain effective and relevant over time. As systems and their environments evolve, continuous monitoring of security controls allows organisations to:

  • Assess the effectiveness of controls,
  • Document changes to systems or their operational environments,
  • Analyse the security impact of those changes, and
  • Report the current security posture to organisational stakeholders.

This ongoing process aligns with the principles outlined in NIST 800-37, which emphasises the importance of continuous monitoring strategies to manage risk effectively and maintain the system's security and compliance posture.

To set the control periodicity review:

  • In the drawer, navigate to the “Control Profile” section.
  • Open the “Periodicity” section.
  • Define the periodicity by selecting one of the following options:
    • Daily
    • Weekly
    • Bi-Monthly
    • Monthly
    • Quarterly
    • Half-Yearly
    • Annually
    • Occasional
    • Undefined

Define Control Organisational Information

In the Organisational Information section, you can define or update the following:

Functional Domains

Specify the areas of the organisation that the control applies to.

Business Units

Assign the relevant business units responsible for implementing or managing the control.

Control Owner

Identify the individual or team accountable for the control.


Define Control Maturity Progress

To set control maturity, navigate to the “Weighting & Maturity” section.

Define & provide descriptions for the following:

Current Maturity Level

  • Define ControlSpecify the current maturity level of the control, representing its existing state of implementation and effectiveness.
  • Describe the Current Maturity Level. Include details about the current implementation, its effectiveness, and any limitations or gaps.

Target Maturity Level

  • Define Target Maturity Level:the desired maturity level of the control, indicating the strategic goal for its progression.
  • Describe the objectives and improvements required to achieve the desired level, aligning with organisational goals and compliance requirements.

Define Control Weighting

To set control weighting, navigate to the “Weighting & Maturity” section.

From there: Define Control Weighting: Assign a weighting to each control to prioritise its impact or importance within your organisational framework. Provide Descriptions: Include details explaining the rationale behind the assigned weighting, ensuring transparency and alignment with organisational priorities.


Define Control Attributes

Specify attributes such as define in the below catalogue:

Information Security Properties

This catalogue defines the core properties that underpin organisational information security, categorising them into Confidentiality, Integrity, and Availability. Each property is further detailed with specific attributes derived from the VERIS Taxonomy, enabling organisations to classify and manage information and systems securely and effectively.

This catalogue has the following attributes:

  • Confidentiality
  • Credentials
  • Bank
  • Classified
  • Copyrighted
  • Medical
  • Payment
  • Personal
  • Internal
  • System
  • Secrets
  • Unknown
  • Other
  • Integrity
  • Created account
  • Hardware tampering
  • Alter behavior
  • Fraudulent transaction
  • Log tampering
  • Misappropriation
  • Misrepresentation
  • Modify configuration
  • Modify privileges
  • Modify data
  • Software installation
  • Unknown
  • Other
  • Availability
  • Destruction
  • Loss
  • Interruption
  • Degradation
  • Acceleration
  • Obscuration
  • Unknown
  • Other

Control Functions

The "NIST - Controls Functions" catalogue categorises the primary functions of security controls, providing a structured approach to managing cybersecurity risks.

This catalogue has the following attributes:

  • Govern (GV)
  • Identify (ID)
  • Protect (PR)
  • Detect (DE)
  • Respond (RS)
  • Recover (RC)

Privacy Control Functions

The "NIST - Privacy Controls Functions" catalogue outlines the core functions of privacy controls, highlighting their role in protecting personal information within organisational processes.

This catalogue has the following attributes:

  • Identify-P (ID-P)
  • Govern-P (GV-P)
  • Control-P (CT-P)
  • Communicate-P (CM-P)
  • Protect-P (PR-P)

Security Domains

The "ISO - Security Domains" catalogue segments security measures into major domains, helping organisations structure and prioritise their security efforts.

This catalogue has the following attributes:

  • Governance and Ecosystem
  • Protection
  • Defence
  • Resilience

Control Types

The "ISO Control Types" catalogue defines control types based on their function in managing security risks, as outlined by ISO standards.

  • Preventive
  • Detective
  • Corrective

Operational Capabilities

The "ISO - Operational Capabilities" catalogue structures operational capabilities as defined by ISO standards, supporting comprehensive security and governance frameworks.

This catalogue has the following attributes:

  • Governance
  • Asset management
  • Information protection
  • Human resource security
  • Physical security
  • System and network security
  • Application security
  • Secure configuration
  • Identity and access management
  • Threat and vulnerability management
  • Continuity
  • Supplier relationships security
  • Legal and compliance
  • Information security event management
  • Information security assurance

Control Category

The "ISO - Information Security Domains" catalogue categorises information security measures into distinct domains, as defined by ISO standards. This supports the development of targeted security strategies and governance practices.

This catalogue has the following attributes:

  • Organisational
  • People
  • Physical
  • Technical