Implementing a Common Controls Framework using Hyperproof
What is a CCF?
A Common Controls Framework (CCF) is a comprehensive set of control requirements, aggregated, correlated and rationalized from the vast array of industry information security and privacy standards. Utilizing a CCF enables an organization to meet the requirements of these security, privacy, and other compliance programs while minimizing the risk of becoming “over controlled”.
Why a CCF approach makes sense
Implementing a common controls framework that is focused on the unique security of your organization is an effective way to reduce the operational disruption of your organization. Focusing on security first and mapping your security-focused controls to compliance frameworks will help you comply with several security certifications, standards and regulations. Most frameworks have the same underlying security principles with minor differences in how you produce evidence and how your auditors evaluate your environment.
A common controls framework helps guide you and your auditors through existing compliance assessments. This central framework can also help you more easily identify any gaps with other frameworks that you may explore in the future. You can perform an analysis of your current control set against existing standards and avoid auditor fees for readiness assessments. This common framework helps you see your current state more accurately and allows you to easily adapt and expand into different security certifications and requirements.
What does SCF provide?
The Secure Controls Framework (SCF), which is the basis for the compliance framework crosswalks within Hyperproof, is a comprehensive catalog of controls that enables companies to design, build, and maintain secure processes, systems, and applications. The SCF addresses both cybersecurity and privacy so that these principles are “baked in” at the strategic, operational, and tactical levels.
The SCF comprises thirty-two (32) domains that cover the high-level topics expected to be addressed by cybersecurity and privacy-related statutory, regulatory, and contractual obligations. These are the cybersecurity and privacy-related policies, standards, procedures, and other processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented as much as possible, detected, and corrected.
The SCF aims to provide cybersecurity and privacy control guidelines to organizations of any size and across any sector, helping them to implement best-practice controls to protect their data and processes and respond to evolving threats. The framework currently incorporates over 850 controls, is baselined across more than 150 regulations and standards, and is updated every few months.
Benefits to an organization of using a CCF based on the SCF
The SCF is designed to empower organizations to design, implement, and manage both cybersecurity and privacy principles to address strategic, operational and tactical guidance. It is far more than building for compliance — we know that if you build security and privacy principles into your daily operations, complying with statutory, regulatory, and contractual obligations will come naturally.
There are many benefits to an organization adopting a CCF based on the SCF:
- By using a well-established baseline set of control requirements and associated controls, it allows the organization to get a headstart on optimizing the controls environment.
- The SCF is updated frequently thus ensuring the organization remains aware of any changes to the compliance frameworks in use.
- By leveraging a common control to meet multiple compliance requirements, an organization can be expected to gain efficiencies in performing its current audit engagements, including SOX 404-ITGC, PCI-DSS, etc. Using the crosswalks provided by SCF, additional compliance frameworks can be assessed quickly and a more rapid implementation plan can be developed using the controls already in place.
- Compliance fatigue should be reduced for the organization’s audit control owners and partners. Currently, these individuals are often subjected to multiple audit requests that can often be met by the same audit evidence.
- It provides a holistic view of the organization’s control environment as the CCF traverses the audit and compliance lines of SOX and PCI audit engagements.
- The organization will have the ability to benchmark their control environment and identify its maturity model against other organizations.
- The organization can begin evaluating controls to identify suitable candidates for automation.
- It can help the organization develop a consistent approach to performing and documenting controls across the organization and potential acquisitions.
- If acquisitions need to be integrated into the organization environment, a CCF provides ease of on-boarding and enables these acquisitions to come into compliance more quickly. A CCF enables the new acquisitions to inherit the existing simple and scalable controls to reduce the overall effort to meet compliance goals.
How to implement and manage a CCF with Hyperproof
Out of the box, Hyperproof provides a set of illustrative controls for many of the most commonly used security and privacy compliance frameworks, including NIST-CSF, PCI-DSS, ISO 27001, and many others. These controls are linked to program requirements providing a quick start approach for many organizations.
For organizations who already have existing controls in place, it’s quite simple to edit the provided controls, add new controls, and remove superfluous ones. As requirements across frameworks are linked within the SCF model, all changes to controls will still map across frameworks, significantly reducing the risk of duplicate controls.
Within Hyperproof, all controls are defined once…
…and are linked to multiple requirements across multiple frameworks.
As changes are made to the details of controls, or new framework requirements are added, the application includes an option to select which controls should be linked to new requirements from suggestions based on the provided crosswalks.
Additionally, as new frameworks are assessed and eventually operationalized, the “Jumpstart” feature provides a quick view into how the existing control environment meets the requirements of these new frameworks.
Hyperproof also quickly shows how “efficient” the control environment is by highlighting which controls are linked to more than one program requirement. This can help focus analyst efforts on increasing the percentage of controls that meet multiple requirements.
The dashboard reporting features of Hyperproof allow the organization to quickly see the compliance status against the requirements of a single compliance framework…
…as well as across all the frameworks currently operationalized across the organization.
Learn more about how to implement a Common Control Framework using Hyperproof.
Get the Latest on Compliance Operations.
Aidan Collins is the Head of Professional Services at Hyperproof, the leading provider of compliance operations software solutions. In this role, he works with organizations to operationalize the complex requirements of a range of compliance frameworks, including those from NIST and ISO. Aidan has built and led professional services teams at organizations including Deloitte, PwC and Bain. He has well over 30 years of experience in all aspects of security risk management, compliance and IT assurance and has helped organizations across a range of industries improve the effectiveness and efficiency of their business processes and risk management functions. In addition, Aidan is an experienced Board Member and advisor to senior management bringing both strategic insight and a controls mindset to enhance board performance and organizational success.