two people working on a laptop

Controls: So Many to Choose From

April 04, 2019

Controls: So Many to Choose From

Synopsis
3 Minute Read

MNP’s Jason Murray explains how to select the right mix of controls to create a well-rounded and comprehensive cyber security program.

There’s a growing tendency in the world of cyber security to simplify inherently complex problems into one-dimensional concepts. Nowhere is this more apparent than in the world of controls.

There are several controls frameworks and hundreds of unique controls an organization could implement in their organization if they wanted to. But this is neither efficient nor practical – there needs to be a better way to select the right tool for a very specific role.

The tangibility-abstraction matrix offers one such solution.

Framework Number of Controls 
NIST 800-53 854
PCI DSS 331
ISO 27001 114
Critical Security Controls  149

Tangibility

The tangibility of a control describes how close or distant it is from the information it protects.

Technical controls – such as firewalls, anti-malware and encryption – are the closest.

Paperwork controls – like policies and procedures to support the function of technical controls in the organization – are less tangible because they’re further away from the information.

Abstraction

The degree of abstraction describes what level of direct oversight a control has over the information it protects.

Asset-level controls – such as firewalls, antimalware or encryption – are the closest to the information and directly affect it, the computer it’s stored in or the network it’s transmitted over.

Variance controls help detect when asset level controls are not functioning properly. These inform businesses when they’re more exposed than normal (e.g. anti-malware application has gone offline).

Decision-making controls are the key human element in this system. Organizational decision-makers consider inputs from all other controls (technical, paperwork, people, asset and variance) and determine what to do next. This could involve change control, business continuity or incident response.

Implementing Controls

Consider an organization regularly handles credit card payments and needs to become Payment Card Industry Data Security Standard (PCI-DSS) compliant. As they begin implementing (largely pre-determined) controls, a clear pattern develops.

In this case, it’s unbalanced: The compliance focus skews heavily toward the bottom left quadrant of the Abstraction-Tangibility matrix.

Recognizing this, the business would want to shift their attention back to risk and maturity focuses to determine which controls would offer a more balanced and well-rounded cyber security program.

Minding the Spread

It’s unrealistic to expect a perfectly even spread. The skew will always be slightly greater to the bottom left – focusing more on the information and technical controls. But the goal should be to spread up and right to cover as many types of controls as possible and create a well-rounded program.

Insights

  • Confidence
    Holding a portfolio on one hand, comparing data on another

    July 28, 2021

    How to optimize value from an Internal Audit co-sourcing partnership

    Co-sourcing your internal audit function can help you navigate several contemporary challenges — including the need for greater agility and subject matter expertise, as well as cost and resourcing pressures. Here we investigate practical steps to find the right vendor and make this relationship as seamless, targeted, and cost effective as possible.

  • Progress
    person reviewing graphs on their phone

    July 26, 2021

    Automating finance, so you can focus on your business

    Cloud accounting and bookkeeping solutions allow you to focus on the critical parts of your business instead of shuffling through paperwork every week.

  • Progress
    ""

    July 22, 2021

    Cloud accounting and bookkeeping can transform your real estate and construction operations

    Priorities are changing after the long hours that came with navigating COVID-19. Here’s how you can free up time to focus on what really matters.