Having confidence in the design and operation of your controls is important. NIST recommends it, your auditor will check it, and your risk posture depends on it. The only way to know if your controls are designed and operating properly is to check them, usually by performing a control assessment.
What is a control assessment?
A control assessment is the project of evaluating a set of controls for a specific purpose. What exactly that purpose is and how you evaluate each of the controls is flexible depending on your organization’s needs and goals. NIST’s definition is, as is often the case, a bit more prescriptive, though it maintains the same flexibility:
“The testing or evaluation of the controls in an information system or an organization to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security or privacy requirements for the system or the organization.”NIST Computer Security Resource Center
Largely, control assessments can be split into main categories: assessments of control design and assessments of control operation. An assessment of control design will look at controls through the lens of their impact on regulatory requirements or organizational risks. The outcome results in making adjustments to your control set so your controls are better designed to address requirements or mitigate risks. An assessment of control operation will often involve writing tests to ensure controls are implemented well enough to minimize errors and resemble internal audits for certain frameworks, like SOC1 or SOC2.
Why should I perform control assessments?
There are several reasons to perform control assessments regularly. The most obvious might be that it’s much better to find problems with your controls’ operation and fix them before they take you by surprise on an audit report. However, being proactive about your control design and operation is even more important for keeping organizational risks under control and maintaining security, since the process helps you find and fix issues much sooner.
Control assessments are also good checkpoints before your organization launches a new product or after major organizational changes occur to keep compliance from slipping. Running an assessment of key organizational controls before a new product launch can drastically reduce the risk inherent in that launch. And, ensuring that your controls stay up-to-date with any organizational changes keeps your risk down since you can be confident that your controls are always relevant.
Control Assessments for Audit Readiness
Most auditors for SOC2 and other InfoSec compliance assessments already have procedures to evaluate controls’ design and/or operational effectiveness during the audit. Thus, it makes sense for you to do this as well to prepare for your audits. If you’re aiming to be compliant with two or more standards and have a common control set, a control assessment can also consolidate your audit preparation time and effort since you can test a control once and know that it is effective across all of the regulatory requirements.
For each control, you can organize and review all evidence generated since the start of your audit period. Look for any exceptions where your control failed to properly operate and record them to follow up on with a root cause analysis later. You might also find times where a control had been operating improperly or not at all, and can follow up on those well in advance of an actual audit.
Control Assessments for New Product Launches
Launching a new product into the market is exciting, but it can also be an inherently risk-laden event. One way to get ahead of this with as little overhead as possible is to perform an assessment of your organization’s most critical controls on that product prior to launching.
Looking through how your organization’s critical controls can be applied to a new product can help you avoid expensive problems you may not have discovered otherwise. For instance, you might find that a control doesn’t have a clear owner, or that a certain control was not implemented fully.
The Process of Control Assessments
No matter the purpose of your control assessment or if you’re evaluating control design or operation, the process of running a control assessment remains the same:
- Choose your objectives
- Select your control set
- Decide how to evaluate your controls
- Manage the project
- Track and remediate issues
Importantly, steps one and two will greatly influence step three because the way you evaluate your controls should always take into account what you’re trying to get out of the assessment (we’ll touch on exactly how in the next section). Step four is where you get into execution, assigning out each control for someone to evaluate, and following up to keep the project moving. And, finally, step five is your remediation phase where you collect and manage the issues or opportunities for improvement that emerged from your assessment.
Evaluating a Control
Evaluating control operation is straightforward; write tests that will uncover control failures, perform those tests, and report on any failures you find. However, evaluating control design requires understanding what makes a good control, which can differ wildly from organization to organization.There are a variety of existing frameworks for determining the quality of a control’s design, and each framework carries its own implicit idea of what a good control is. One example comes from the Institute of Internal Auditors – Australia and includes the following factors, which we have summarized below:
|Relevance (Yes/No)||Does the proposed control address a risk that matters? Does the listed control actually address the risk that it is listed against? |
The control may be valuable for other reasons, but it is not contributing to the control of the specified risk(s). It does not therefore contribute to the adequacy of the control system in the process under consideration.
|Coverage (Multiple/Full/Partial)||Does the proposed control address part of a risk, all of a risk, or a number of risks? |
Where a control is addressing only part of a risk, it may be best to restructure the risk so that the part where the control function is separate from the rest. It is quite common for a particular control to address more than one risk and this, when possible, can have cost advantages.
|Will the control work every time – is it independent of the process, is it automated, does it prevent an issue, correct an issue or just identify an issue?|
A preventive control is clearly preferable, but is not always possible. A detective control always requires some response mechanism. Automated controls always perform as constructed – this may be desirable if the construction is sound, but some circumstances may require human judgment and this aspect should not be ignored.
|Does the control operate quickly enough to minimize adverse consequences? |
A control intended to limit the effects of, or take advantage of, an event, must operate at an appropriate speed. If the action is too late, it is ineffective.
|Does the organization have the competence or resources to operate the control? Is it an additional piece of work for an already busy person? |
These are design questions with a direct performance implication. Some controls are intrinsically complex and require expertise to perform correctly. Giving the responsibility to a person without that expertise reduces or eliminates the value of the control. Similarly, if an individual, or group of individuals, is given too much to do, they will set priorities that may eliminate or reduce the control’s operation.
|Is the operation of the control monitored and analyzed? What happens to rejected items? |
Is there a mechanism in place to manage unusual circumstances? Are there performance reports that might help the organization detect changes in risk?
If you can find a framework that fits your business’s goals and needs, go ahead and use it, but if not, a bit of thought is all you need to design your own.
A good place to start is by listing out what attributes a control needs for it to be valuable for your organization, as well as separately listing out what would make a control worthless to your organization. Looking through those two lists, you should start to see pairs of opposites emerge, and by matching those up, you’ll get an initial list of your own factors. The last step will be to trim down your list of factors to the most important ones, since the more factors you add to the list, the longer evaluating each control across all factors will take.
The Challenges of Control Assessments
Performing control assessments can present a number of different challenges depending on your organization. We’ve already discussed finding the right factors to evaluate your controls, which is the first big hurdle. The next challenge to overcome is managing a control assessment project at scale.
You can manage one out of a spreadsheet, but that comes with all the usual spreadsheet limitations; how do you keep your spreadsheet updated without having that consume all of your working hours, how do you follow up with assignees at the right cadence, and how do you keep track of the status of the project? Taking the time to select the right tool for managing your project before diving in makes a world of difference when you’re in the midst of an assessment.
The final problem is around creating, tracking, and remediating issues. One key point here is that your assessments are most valuable when they lead to better outcomes for your compliance program, so having a list of issues sitting in a document somewhere no one can find is not going to cut it. You’ll want to look for a tool that can handle or even automate issue management, tracking, and reporting so that your team has time left in their day to work with stakeholders to remediate issues instead of spending it tracking issues manually.
Conducting a Control Assessment in Hyperproof
Since control assessments are integral to organizations of all sizes, we’ve created a dedicated workflow for them in Hyperproof. It’s as simple as selecting controls and assigning each to someone in your organization. We’ll give you the analytics you need to stay on top of who needs a nudge, and we can remind them about their responsibilities as the due date approaches. You can even field questions on the assessment directly, without having to struggle through large email chains.
How to conduct a control assessment in Hyperproof:
1. Select the controls you want to evaluate. Whether you’re interested in all of the controls under a particular framework, all of the controls owned by a particular team, or just a few critical controls, you can use the search function or filters in Hyperproof to quickly select the right set of controls.
2. Hyperproof creates an evaluation for each of these controls and organizes them into a control assessment.
3. From here, you can assign each evaluation task to someone and set a due date. As they start to evaluate each control, your team can change the status of the evaluation and can tag you in its comments with any questions they have. If they’re testing those controls, they can pull in the evidence they need from anywhere in Hyperproof and attach it to the evaluation for later reference.
4. Across the whole assessment and remediation project, you’ll be able to use Hyperproof’s reporting and dashboards to figure out who to follow up with on outstanding evaluations or issue remediations and ensure that you can complete your control assessment without wasting resources.
Control assessments are integral to compliance and to managing risks. Managing control assessments is difficult without the right tools, but using the right tool to run yours can help reduce your organizational risk, gain confidence in passing audits, and give you peace of mind.