3. Module-Specific Catalogues Settings
Other catalogues are more module-specific, tailored to areas such as Policy, Risk, System, or Third Party modules.
Policy Modules Catalogs
Control Function
The "NIST - Controls Functions" catalog provides a structured approach to managing cybersecurity risks by categorizing the primary functions of security controls.
Control Types
The "ISO Control Types" catalog delineates types of controls as defined by ISO standards based on their function in managing security risks
Information Security Properties
The "Information Security Properties" catalog defines the key properties that safeguard information within an organization, ensuring data is managed securely and effectively.
Maturity Levels
The "CMM" catalog details various Capability Maturity Model (CMM) frameworks, guiding organizations to choose the appropriate framework tailored to their specific needs.
Operational Capabilities
The "ISO - Operational Capabilities" catalog organizes operational capabilities as defined by ISO standards, supporting comprehensive security and governance frameworks.
Periodicity Review Options
The "Periodicity Review Options" catalog details the frequencies at which various organizational processes or controls are reviewed and assessed.
Privacy Control Function
The "NIST - Privacy Controls Functions" catalog outlines the core functions of privacy controls, emphasizing their role in protecting personal information within organizational processes.
Security Control Baseline
The "Security Control Baseline" catalog provides a foundational structure for security controls, setting benchmarks for different levels of security implementation.
Security Domains
The "ISO - Security Domains" catalog segments security measures into major domains as defined by ISO standards, helping organizations to structure and prioritize their security efforts.
Risk Modules Catalogs
Business Attributes
The "Business Attributes" catalog (SABSA) lists essential qualities and characteristics that define the organization's security needs and objectives. These attributes are derived from assessing business risks and are used to ensure that all security measures align effectively with business drivers. This catalog is instrumental in guiding the design, implementation, and management of the organization’s security architecture, ensuring it supports and enhances the overall business strategy.
Business Drivers for Security
The "Business Drivers for Security" catalog outlines the fundamental reasons and motivations behind the security strategies and measures implemented within an organization. It identifies and documents the key business objectives and requirements that dictate the need for specific security practices. This catalog serves as a bridge between the organization’s strategic business goals and its security operations, ensuring that all security efforts are directly linked to enhancing business value, protecting systems, and facilitating business continuity.
Business Goals and Objectives
The "Business Goals and Objectives" catalog is a structured collection of strategic outcomes that an organization aims to achieve. Its primary purpose is to ensure that every aspect of the security architecture is directly aligned with these goals. This alignment enables the organization to efficiently achieve its objectives while maintaining robust security, compliance, and risk management standards. It serves as a foundational component that connects business strategy with security operations, ensuring that security practices not only protect the organization but also facilitate its strategic business initiatives.
Business Goals and Objectives Timelines
The "Business Goals and Objectives - Timelines" catalog categorizes all business goals and objectives based on their expected timelines for completion. It serves as a vital planning tool to align security measures and resource deployment with the scheduled timing of these strategic initiatives.
Data State Options
The "Data State Options" catalog outlines the various states of data, from storage to transmission.
Impact Types
The "Impact Types" catalog categorizes the types of impacts an organization may face, aiding in risk assessment and mitigation planning.
Plan Types
The "Plan Types" catalog organizes plans into Strategic, Tactical, and Operational categories, guiding organizations from high-level goal setting and mid-term objectives to daily operations management, facilitating cohesive and targeted execution across all levels.
Project Phase Levels
The "Project Phase Levels" catalog outlines the key phases of a project, from initiation to execution, with a focus on integrating cybersecurity risk assessments at each stage. It emphasizes the importance of aligning security measures with project goals and detailed plans, ensuring a secure foundation during initiation and safeguarding progress during execution.
Request Priority Levels
The “Request Priority Levels” catalog categorizes requests by their urgency level. Each priority level indicates the required response time and the potential impact of delays, helping to prioritize tasks and ensure that resources are allocated effectively to address the most urgent needs and minimize operational risks.
Risk Categories
Risk Categories" catalog organizes and details different types of risks that organizations face. This catalog aids in identifying, assessing, and prioritizing risks to facilitate more effective risk management and mitigation strategies.
Risk Origins
The "Risk Origins" catalog categorizes the source or nature of risks, providing foundational insights for risk assessment and mitigation strategies.
Threat Actions
The "Threat Actions" catalog classifies types of threat actions based on a standardized taxonomy, aiding in the structured analysis and response planning for diverse security threats.
Threat Actor Motivations
The "Threat Actor Motivations" catalog identifies the underlying motivations driving threat actors.
Threat Actors
The "Threat Actors" catalog classifies the origin of cybersecurity threats based on their source or association, such as external, internal, or partner origins.
Threat Vectors
The "Threat Vectors" catalog categorizes the specific methods or pathways through which cybersecurity threats are initiated or propagated.
Victim Quantification
The "Victims Quantification" catalog helps in assessing the scale of potential or actual impact on personnel within an organization due to specific incidents or threats.
System Modules Catalogs
Cloud Stack Components
The "Cloud Stack Components" catalog breaks down the components of cloud computing stacks, aiding in the detailed analysis and management of cloud services.
Cloud Types
The "Cloud Types" catalog categorizes cloud services by their infrastructure models, supporting strategic planning and deployment of cloud technologies.
RPO (Recovery Point Objectives)
The "RPO - Recovery Point Objectives" catalog establishes the maximum acceptable age of: backup data necessary to resume operations after a disruption, essential for data recovery strategies and maintaining business continuity.
RTO (Recovery Time Objectives)
The "RTO - Recovery Time Objectives" catalog provides a framework for determining the acceptable downtime for various systems and functions within an organization, critical for disaster recovery and business continuity planning. catalog is used in the “Policy”, “Risk”, “System” and “Third Party” modules.
Security Domains
The "ISO - Security Domains" catalog segments security measures into major domains as defined by ISO standards, helping organizations to structure and prioritize their security efforts.
System Accessibility Options
The "System Accessibility Options" catalog classifies the access levels of systems, ranging from publicly accessible to internally isolated, helping to guide security and compliance strategies based on how and where systems can be accessed.
System Criticality Options
The "Systems Criticality" catalog ranks systems by their criticality, evaluating their importance to guide prioritization and resource allocation within organizational operations.
System Hosting Options
The "System Hosting Options" catalog outlines the various hosting environments where systems can be stored and managed, ranging from internal hosting to various forms of external hosting. This catalog aids in identifying and documenting the hosting arrangements for systems, essential for managing security, compliance, and operational risks associated with different hosting environments.
System Management Options
The "System Management Options" catalog classifies system management approaches, identifying whether systems are managed within the organization or by external providers, offering a clear framework for understanding management responsibilities.
System Types
The "System Types" catalog classifies systems based on their role and function within an organization's network and operational infrastructure, supporting detailed system management and risk analysis.
System Domains
The "System Domains" catalog organizes systems into categories based on their function and relevance to IT, OT, IoT, and non-IT disciplines, facilitating targeted system management and security measures.
Third Party Modules Catalogs
Third Party IT Providers
The "Third Parties IT Providers" catalog lists the types of third-party products & services providers that may impact their IT environment, helping organizations categorize and manage their external IT service and product relationships.
Third Party Tier Levels
The "Third Party Tier Levels" catalog ranks third-party relationships by their criticality to organizational operations, guiding resource allocation and management focus.
Third Party Types
The "Third Party Types" catalog segments third-party entities based on their relationship to the organization, facilitating strategic alignment and risk management