Understanding The Hierarchical Nature of Cybersecurity & Privacy Documentation Version 2022.

The ComplianceForge Hierarchical Cybersecurity Governance Framework? (HCGF) takes a comprehensive view towards the necessary documentation components that are key to being able to demonstrate evidence of due diligence and due care. This framework addresses the inter-connectivity of policies, control objectives, standards, guidelines, controls, risks, procedures &
metrics. The Secure Controls Framework (SCF) fits into this model by providing the necessary cybersecurity and privacy controls an organization needs to implement to stay both secure and compliant. ComplianceForge has simplified the concept of the hierarchical nature of cybersecurity and privacy documentation in the following diagram to demonstrate the unique nature of these
components, as well as the dependencies that exist:

Influencers (Internal & External) Policies Control Objectives Standards Guidelines Controls Procedures Risks Threats Metrics

Hierarchical cybersecurity governance starts with external
influencers ? these establish what is considered necessary for
due diligence and due care for cybersecurity operations.
These include statutory requirements (laws), regulatory
requirements (government regulations) and contractual
requirements (legally-binding obligations) that organizations
must address.
External influencers usually impose meaningful penalties for
non-compliance. External influencers are often
non-negotiable and are the primary source for defining a
need for a policy and provide scoping for control objectives.
Internal influencers focus on management's desire for
consistent, efficient and effective operations. This generally
takes the form of:
- Business strategy
- Goals & objectives (e.g., customer satisfaction / service
levels, budget constraints, quality targets, etc.)
Internal Influencers
Non-IT related corporate policies
Board of Director (BoD) guidance / directives
Supply Chain Risk Management (SCRM)
Other internal requirements
Policies are high-level statements of Control Objectives are targets or desired Standards are mandatory requirements Guidelines are recommended practices Controls are technical, administrative or Procedures are a documented set of Risks represent a situation where Threats represent a person or thing Metrics provide a "point in time" view
management intent from an conditions to be met. These are in regard to processes, actions, and that are based on industry-recognized physical safeguards. Controls are the steps necessary to perform a specific someone or something valued is likely to cause damage or danger (noun) of specific, discrete measurements,
organization's executive leadership that statements describing what is to be configurations that are designed to secure practices. Guidelines help nexus used to manage risks through task or process in conformance with an exposed to danger, harm or loss (noun) or to indicate impending damage or unlike trending and analytics that are
are designed to influence decisions and achieved as a result of the organization satisfy Control Objectives. augment Standards when discretion is preventing, detecting or lessening the applicable standard. or to expose someone or something danger (verb). derived by comparing a baseline of two
guide the organization to achieve the implementing a control, which is what a permissible. ability of a particular threat from valued to danger, harm or loss (verb). or more measurements taken over a
desired outcomes. Standard is intended to address. Standards are intended to be granular negatively impacting business processes. Procedures help address the question of In practical terms, a threat is a possible period of time. Analytics are generated
and prescriptive to establish Minimum Unlike Standards, Guidelines allow how the organization actually In practical terms, a risk is associated natural or man-made event that affects from the analysis of metrics.
Policies are enforced by standards and Where applicable, Control Objectives are Security Requirements (MSR) that users to apply discretion or leeway in Controls directly map to standards, since operationalizes a policy, standard or with a control deficiency? (e.g., if the control execution. (e.g., if the threat
further implemented by procedures to directly linked to an industry-recognized ensure systems, applications and their interpretation, implementation, or control testing is designed to measure control. Without documented control fails, what risk(s) is the materializes, will the control function as Analytics are designed to facilitate
establish actionable and accountable secure practice to align cybersecurity processes are designed and operated to use. specific aspects of how standards are procedures, there will be no defendable organization exposed to?) expected?) decision-making, evaluate performance
requirements. and privacy with accepted practices. The include appropriate cybersecurity and actually implemented. evidence of due care practices. and improve accountability through
intent is to establish sufficient evidence privacy protections. Risk is often calculated by a formula of the collection, analysis and reporting of
Policies are a business decision, not a of due diligence and due care to Control testing is routinely used in Procedures are generally the Threat x Vulnerability x Consequence in relevant performance-related data.
technical one. Technology determines withstand scrutiny. pre-production testing to validate a responsibility of the process owner / an attempt to quantify the potential
how policies are implemented. Policies project or system has met a minimum asset custodian to build and maintain, magnitude of a risk instance occurring. Good metrics are those that are
usually exist to satisfy an external level of security before it is authorized but are expected to include stakeholder SMART (Specific, Measurable,
requirement (e.g., law, regulation for use in a production environment. oversight to ensure applicable While it is not possible to have a totally Attainable, Repeatable, and
and/or contract). Recurring testing is often performed on compliance requirements are risk-free environment, it may be Time-dependent)
Guidelines Support certain controls in order to verify addressed. possible to manage risk by
Applicable Standards Guidelines compliance with statutory, regulatory
Every Control Every Standard and contractual obligations. The result of a procedure is intended to - Avoiding
Objective Maps Maps To A satisfy a specific control. Procedures are - Reducing;
To A Policy. Control also commonly referred to as "control - Transferring; or
Objective. activities." - Accepting.
Control
Policies Standards
Objectives

Platform-Specific
Technology
External Influencers - Contractual Configurations Every Control Every Metric Maps To A Control
CMMC (CMMCcan be both contractual and regulatory)
Maps Metrics
PCI DSS Leading Practices Define Expectations
To A Standard
SOC 2 Certification Secure Baseline
CMMC / PCI DSS / NIST CSF / Etc. Every Procedure
(due diligence / due care)
ISO 27001 Certification Maps
NIST Cybersecurity Framework Configurations To A Control
Other contractual requirements
Controls Procedures
External Influencers - Statutory Secure baseline configurations are
HIPAA / HITECH technical in nature and specify the
required configuration settings for a
FACTA
defined technology platform. Leading Every Risk Maps To A Control
GLBA
CCPA CCPA / HIPAA / SOX / Etc.
guidance on secure configurations Risks
come from the following sources:
SOX - Center for Internet Security
Data Protection Act (UK) - DISA STIGs Every Threat Maps To A Control
Other data protection laws - Vendor recommendations Threats
External Influencers - Regulatory
NIST 800-171 / CMMC (FAR & DFARS)
FedRAMP Control Objectives Are Based On Controls
NIST SP 800-171 / FedRAMP / EU GDPR / Etc.
EU GDPR
Other International Data Protection Laws

Appropriate Controls Should Be Selected To Meet Specified External & Internal Influencers

Digital Security Program (DSP) Digital Security Program (DSP)

Semi-Customized
Risk Management
Documentation Cybersecurity & Data Protection Program (CDPP)
Program (RMP)
Cybersecurity
Solutions Secure Baseline Control Validation Standardized Operating Cybersecurity Risk
Configurations (SBC) Testing (CVT) Procedures (CSOP) Assessment (CRA)

Top-Down Process Flow of Cybersecurity & Privacy Governance Concepts x

Internal & External Influencers primarily drive the Policies define high-level Control Objectives support Standards operationalize Guidelines provide useful Controls are assigned to Procedures operationalize Risks are associated with a Natural and man-made threats Metrics provide evidence
development of cybersecurity and privacy policies. This expectations and provide Policies and provide scoping Policies by providing guidance that provides stakeholders to assign Standards and Controls. The control deficiency. (e.g., if the affect control execution (e.g. if of an oversight function
requirements analysis is a component of governance, risk evidence of due diligence to for Standards, based on organization-specific additional content to help responsibilities in output of Procedures is control fails, what risk is the the threat materializes, will the for the cybersecurity and
and compliance management practices to appropriately address applicable requirements industry-recognized secure requirements that must operationalize Standards. enforcing Standards. evidence of due care to organization exposed to?) control function as expected?) privacy program by
scope security program requirements. (internal and external). practices. be met. demonstrate that measuring criteria to
Copyright © 2022 by ComplianceForge, LLC (ComplianceForge). All rights reserved.
requirements are enforced. determine performance.
All text, images, logos, trademarks and information contained in this document are the intellectual property of ComplianceForge, unless otherwise indicated. Modification of any content, including text and images, requires the prior written permission of ComplianceForge. Requests may be sent to support@complianceforge.com.