Control selection
A security control is a procedural, physical, or technical measure to avoid, detect, counteract or minimise security risk.
A capability should choose a relevant security control framework based on the scope and breadth of what they’re delivering.
The framework does not provide a pre-packaged set of controls so capabilities should have a proper understanding of the risks to be addressed.
Examples of frameworks include:
A capability should choose a relevant security control framework based on the scope and breadth of what they’re delivering.
The framework does not provide a pre-packaged set of controls so capabilities should have a proper understanding of the risks to be addressed.
Examples of frameworks include:
When designing capabilities, it is preferable to reuse any existing CyDR architectural patterns. The Cyber Security Design Authority (CSDA) has guidance on this topic.
Capabilities should not implement controls just because they are listed in a framework. Instead, they should show a clear link between the mission or business objectives, the security requirements, threat assessment, and risks, and the controls put in place. This makes sure the controls meet the requirements and reduce risks to an acceptable level within you defined risk appetite.
It may be appropriate to apply Original Equipment Manufacturer (OEM) security guidance to configure the system securely.
Capabilities should not implement controls just because they are listed in a framework. Instead, they should show a clear link between the mission or business objectives, the security requirements, threat assessment, and risks, and the controls put in place. This makes sure the controls meet the requirements and reduce risks to an acceptable level within you defined risk appetite.
It may be appropriate to apply Original Equipment Manufacturer (OEM) security guidance to configure the system securely.
Benefits
Benefits of selecting security controls:
- ensure systems only operate within their defined risk appetite
- makes sure unacceptable losses do not occur
- makes sure risk can be measured and is appropriately managed
Outcomes
Outcomes from control selection include:
- selection of appropriate controls
- control set mapping - providing options for shared controls and inherited control understanding
Responsibility
Who is responsible for control selection:
- delivery team lead
- project management office (PMO)
- delivery team security lead
When to select your controls
Controls should be:
- selected at concept or design stage
- reviewed in response to system design or threat changes
- adjusted throughout a capability’s lifecycle off the back of the risk management process