We are Living in a Control Jungle
So many organizations today are lost in a deep, dark jungle of control inertia. The word ‘Control’ is being used too loosely, and is a confusing term at best, in particular when applied out of context.
Welcome to the jungle!
Below are some examples of different controls and, in conclusion, the best way to understand the context of your controls, as well as manage controls effectively in your organization.
Audit Controls
When internal audit teams create work plans for audits, they create controls. These controls inform the organization how to mitigate risks. These are principally the type of controls that interests the board and leadership
Policies and Procedures
Policy and standard documents also contain controls that provide directives (procedures) for how the organization and its employees should function. These are generally based on regulatory or standard requirements (see below) and/or best practices from industry or company culture.
Control Frameworks
Different regulations and standards (also known as “control frameworks”!) define their requirements as the controls necessary to meet or be “in compliance”. Each framework has its own set of controls, so if like most companies today, you are maintaining multiple frameworks, such as ISO Certification (150+ Controls), SOC 2 (50+), FedRAMP (400+), CMMC (100+), HIPAA (300+), PCI (300+), the list of controls can quickly become overwhelming.
Internal Controls:
These are the last pieces in the control puzzle. Internal controls define how you comply with a framework and map to those specific control requirements. For example, you may be using an identity access management tool like OKTA, PING, DUO, or AzureAd. The regulatory control and/or policy statement (above) will likely be broadly written to require implementation of Identity Access Management. Your Internal Control refers to specifically how you implement IAM, who is accountable for the control, how often the control is tested, and even the implementation strength of the control (not implemented, partially implemented, fully implemented).
This is where controls become actionable, meaning, internal controls are used to verify your processes. We collect evidence against internal controls and we set a cadence for how often we test.
As such, Internal Controls are critical to creating efficiencies in the information security team and can have a financial impact on operations. Teams that have duplicate internal controls - often a result of trying to manage compliance for multiple regulations or standards - quickly develop process inefficiencies, not to mention the frustration of being asked to produce the same piece of evidence multiple times. Internal Controls that are unassigned can lead to gaps and issues where processes go unchecked, unpatched and exposed.
C1Risk can help you find your way through the control jungle. The C1Risk platform enables you to both define your controls in their different context, so you can understand the source and applicability of your controls (Regulation, Standard, Policy, Audit), as well as see where you may have duplicates and/or gaps. Further, C1 Risk enables you to map your internal controls to one or multiple frameworks. This is the concept of “test once, apply to many” - one control that is being tested for compliance with many frameworks.