Professional Documents
Culture Documents
Page 1 of 3
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
Page 2 of 3
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
KEY
Compliance Control Description - A description of the control is provided so the compliance manager, analyst or auditor can determine the intentions of the risk mitigating control.
Risk Mitigating Controls Implemented - it is necessary to identify any and all controls used to satisfy the risks which this control objectives it attempting to mitigate. In most organizations the integration of controls is imperative to operationalize risk mitigation. Most organizations are managing multiple
control frameworks and multiple statutory, regulatory and contractual obligations so by conducting this exercise controls can be rationalized saving time and money in maintenance and reviews.
Manager Responsibility /Governance - risk mitigating controls often fall within the operational procedures and policies of the management team. It is important to ensure that the manager who has been delegated this reasonable is aware of their responsibilities and has communicated that responsibility to
employees and other managers so there is no confusion about who is accountable or who should be making final decisions concerning control implementation or changes to those controls. This step often empowers managers and is seen as a positive activity.
Location of Validated Evidence - it is necessary to located and record evidence of testing to validate the overall operational effectiveness of security standards and the use of risk mitigating controls.
Skill Level /Competency - following the internationally accepted methodology used to create curriculum and test for knowledge Blooms Taxonomy carefully constructed questions can determine the level of skills needed to effectively administer, maintain and test controls. In addition, the competency of
administrators, auditors and security testers is critical to operational excellence and compliance with most control frameworks.
Control Tested - the regular testing of control frameworks is essential to establishing and maintaining the effectiveness of carefully designed and implemented risk mitigating controls. Regular testing helps to verify and validate the successful implementation of these controls. If controls are not tested and
have not been implemented effectively the organization could fail internal and external audits, they could also suffer a breach of security and unplanned expenses.
• Control Effectiveness - control effectiveness is the result of quantifying qualitative data gathered to regular reviews of risk mitigating control frameworks. Similarly to the risk management calculation used to create a risk rating out process will use the data gathered during the review of risks and existing
controls to establish a percentage of control effectiveness.
• Reference - this is an embedded link back to the source of the regulation added here for convenience and quick reference during discussions.
Page 3 of 3