Understanding The Hierarchical Nature of Cybersecurity & Privacy Documentation Version 2021.

1
The ComplianceForge Hierarchical Cybersecurity Governance Framework? (HCGF) takes a comprehensive viewtowards the necessary documentation components that are key to being able to demonstrate evidence of due diligence and due care. This framework addresses the interconnectivity of policies, control objectives, standards, guidelines,
controls, risks, procedures & metrics. The Secure Controls Framework (SCF) fits into this model by providing the necessary cybersecurity and privacy controls an organization needs to implement to stay both secure and compliant. ComplianceForge has simplified the concept of the hierarchical nature of cybersecurity and privacy documentation in the
following diagram to demonstrate the unique nature of these components, as well as the dependencies that exist:

Influencers (Internal & External) Policies Control Objectives Standards Guidelines Controls Procedures Risks Threats Metrics

Hierarchical cybersecurity governance starts with external
influencers ? these establish what is considered necessary for
due diligence and due care for cybersecurity operations.
These include statutory requirements (laws), regulatory
requirements (government regulations) and contractual
requirements (legally-binding obligations) that organizations
must address.
External influencers usually impose meaningful penalties for
non-compliance. External influencers are often
non-negotiable and are the primary source for defining a
need for a policy and provide scoping for control objectives.
Internal influencers focus on management's desire for
consistent, efficient and effective operations. This generally
takes the form of:
- Business strategy
- Goals & objectives (e.g., customer satisfaction / service
levels, budget constraints, quality targets, etc.)
Internal Influencers
Non-IT related corporate policies
Board of Director (BoD) guidance / directives
Other internal requirements
Policies are high-level statements of Control Objectives are targets or desired Standards are mandatory requirements Guidelines are recommended practices Controls are technical, administrative or Procedures are a documented set of Risks represent a situation where Threats represent a person or thing Metrics provide a "point in time" view
management intent from an conditions to be met. These are in regard to processes, actions, and that are based on industry-recognized physical safeguards. Controls are the steps necessary to perform a specific someone or something valued is likely to cause damage or danger (noun) of specific, discrete measurements,
organization's executive leadership that statements describing what is to be configurations that are designed to secure practices. Guidelines help nexus used to manage risks through task or process in conformance with an exposed to danger, harm or loss (noun) or to indicate impending damage or unlike trending and analytics that are
are designed to influence decisions and achieved as a result of the organization satisfy Control Objectives. augment Standards when discretion is preventing, detecting or lessening the applicable standard. or to expose someone or something danger (verb). derived by comparing a baseline of two
guide the organization to achieve the implementing a control, which is what a permissible. ability of a particular threat from valued to danger, harm or loss (verb). or more measurements taken over a
desired outcomes. Standard is intended to address. Standards are intended to be granular negatively impacting business processes. Procedures help address the question In practical terms, a threat is a possible period of time. Analytics are generated
and prescriptive to establish Minimum Unlike Standards, Guidelines allow of how the organization actually In practical terms, a risk is associated natural or man-made event that affects from the analysis of metrics.
Policies are enforced by standards and Where applicable, Control Objectives are Security Requirements (MSR) that users to apply discretion or leeway in Controls directly map to standards, since operationalizes a policy, standard or with a control deficiency? (e.g., if the control execution. (e.g., if the threat
further implemented by procedures to directly linked to an industry-recognized ensure systems, applications and their interpretation, implementation, or control testing is designed to measure control. Without documented control fails, what risk(s) is the materializes, will the control function as Analytics are designed to facilitate
establish actionable and accountable secure practice to align cybersecurity processes are designed and operated to use. specific aspects of how standards are procedures, there can be defendable organization exposed to?) expected?) decision-making, evaluate performance
requirements. and privacy with accepted practices. The include appropriate cybersecurity and actually implemented. evidence of due care practices. and improve accountability through
intent is to establish sufficient evidence privacy protections. Risk is often calculated by a formula of the collection, analysis and reporting of
Policies are a business decision, not a of due diligence and due care to Control testing is routinely used in Procedures are generally the Threat x Vulnerability x Consequence in relevant performance-related data.
technical one. Technology determines withstand scrutiny. pre-production testing to validate a responsibility of the process owner / an attempt to quantify the potential
how policies are implemented. Policies project or system has met a minimum asset custodian to build and maintain, magnitude of a risk instance occurring. Good metrics are those that are
usually exist to satisfy an external level of security before it is authorized but are expected to include SMART (Specific, Measurable,
requirement (e.g., law, regulation for use in a production environment. stakeholder oversight to ensure While it is not possible to have a totally Attainable, Repeatable, and
and/or contract). Recurring testing is often performed on applicable compliance requirements risk-free environment, it may be Time-dependent)
Guidelines Support certain controls in order to verify are addressed. possible to manage risks by avoiding,
Applicable Standards Guidelines compliance with statutory, regulatory reducing, transferring, or accepting the
Every Control Every Standard and contractual obligations. The result of a procedure is intended risks.
Objective Maps Maps To A to satisfy a specific control. Procedures
To A Policy. Control are also commonly referred to as
Objective. "control activities."
Control
Policies Standards
Objectives

External Influencers - Contractual

Platform-Specific Every Control Every Metric Maps To A Control
CMMC (CMMCcan be contractual and regulatory)
Technology Maps Metrics
PCI DSS
Configurations To A Standard
SOC 2 Certification CMMC / PCI DSS / NIST CSF / Etc. Every Procedure
ISO 27001 Certification Leading Practices Define Expectations Maps
NIST Cybersecurity Framework
To A Control
Other contractual requirements
Controls Procedures
For Due Care Expectations

External Influencers - Statutory Secure Baseline

HIPAA / HITECH
FACTA Configurations Every Risk Maps To A Control
GLBA
CCPA CCPA / HIPAA / SOX / Etc.
Risks
SOX
Data Protection Act (UK) Secure baseline configurations are Every Threat Maps To A Control
Other data protection laws technical in nature and specify the Threats
required configuration settings for a
External Influencers - Regulatory defined technology platform. Leading
NIST 800-171 / CMMC (FAR & DFARS) guidance on secure configurations
FedRAMP come from the following sources:
NIST 800-171 / FedRAMP / EU GDPR / Etc. - Center for Internet Security
EU GDPR
- DISA STIGs
Other International Data Protection Laws
- Vendor recommendations

Digital Security Program (DSP) Cybersecurity Digital Security Program (DSP)

Standardized Operating
Written Information Security Program (WISP) Procedures (CSOP) Risk Management
Program (RMP)
Secure Baseline
Configurations (SBC)
Control Validation Cybersecurity Risk
Testing (CVT) Assessment (CRA)

Top-Down Process Flow of Cybersecurity & Privacy Governance Concepts x

Internal & External Influencers primarily drive the Policies define high-level Control Objectives support Standards operationalize Guidelines provide useful Controls are assigned to Procedures operationalize Structuring controls as Metrics provide evidence
development of cybersecurity and privacy policies. This expectations and provide Policies and provide scoping Policies by providing guidance that provides stakeholders to assign Standards and Controls. The of an oversight function
questions is often used to in
requirements analysis is a component of governance, risk evidence of due diligence to for Standards, based on organization-specific additional content to help responsibilities in output of Procedures is questionnaire format to for the cybersecurity and
and compliance management practices to appropriately address applicable requirements industry-recognized secure requirements that must operationalize Standards. enforcing Standards. evidence of due care to evaluate the implementation privacy program by
scope security program requirements. (internal and external). practices. be met. demonstrate that measuring criteria to
of a control.
Copyright © 2021 by ComplianceForge, LLC (ComplianceForge). All rights reserved. requirements are enforced. determine performance.
All text, images, logos, trademarks and information contained in this document are the intellectual property of ComplianceForge, unless otherwise indicated. Modification of any content, including text and images, requires the prior written permission of ComplianceForge. Requests may be sent to [email protected].