Understanding The Hierarchical Nature of Cybersecurity & Privacy Documentation version 2020.

The ComplianceForge Hierarchical Cybersecurity Governance Framework™ (HCGF) takes a comprehensive view towards the necessary documentation components that are key to being able to demonstrate evidence of due diligence and due care. This framework
addresses the interconnectivity of policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. The Secure Controls Framework (SCF) fits into this model by providing the necessary cybersecurity and privacy controls an organization needs to
implement to stay both secure and compliant.

ComplianceForge has simplified the concept of the hierarchical nature of cybersecurity and privacy documentation in the following diagram to demonstrate the unique nature of these components, as well as the dependencies that exist:

HIERARCHICAL CYBERSECURITY GOVERNANCE FRAMEWORK™ - INTERCONNECTIVITY OF POLICIES, CONTROL OBJECTIVES, STANDARDS, GUIDELINES, CONTROLS, RISKS, PROCEDURES & METRICS
INFLUENCERS CONTROL
POLICIES STANDARDS GUIDELINES CONTROLS RISKS PROCEDURES METRICS
(EXTERNAL & INTERNAL) OBJECTIVES
Hierarchical cybersecurity governance starts with external Policies are high-level Control Objectives are targets Standards are mandatory Guidelines are recommended Controls are technical, Risks represents a potential Procedures are a documented Metrics provide a “point in
influencers – these establish what is considered necessary statements of management or desired conditions to be requirements in regard to practices that are based on administrative or physical exposure to harm or loss. Risk is set of steps necessary to perform time” view of specific,
for due diligence and due care for cybersecurity operations. intent from an organization’s met. These are statements processes, actions, and industry-recognized secure safeguards. Controls are the often calculated by a formula of a specific task or process in discrete measurements,
These include statutory requirements (laws), regulatory executive leadership that are describing what is to be configurations that are designed practices. Guidelines help nexus used to manage risks Threat x Vulnerability x conformance with an applicable unlike trending and
requirements (government regulations) and contractual designed to influence decisions achieved as a result of the to satisfy Control Objectives. augment Standards when through preventing, detecting Consequence in an attempt to standard. analytics that are derived by
requirements (legally-binding obligations) that organizations and guide the organization to organization implementing a discretion is permissible. or lessening the ability of a quantify the potential magnitude comparing a baseline of two
must address. achieve the desired outcomes. control, which is what a Standards are intended to be particular threat from of a risk instance occurring. Procedures help address the or more measurements
Standard is intended to granular and prescriptive to Unlike Standards, Guidelines negatively impacting business question of how the organization taken over a period of time.
External influencers usually impose meaningful penalties for Policies are enforced by address. establish Minimum Security allow users to apply discretion processes. While it is not possible to have a actually operationalizes a policy, Analytics are generated
non-compliance. External influencers are often non- standards and further Requirements (MSR) that ensure or leeway in their totally risk-free environment, it standard or control. Without from the analysis of metrics.
negotiable and are the primary source for defining a need for implemented by procedures to Where applicable, Control systems, applications and interpretation, Controls directly map to may be possible to manage risks documented procedures, there
a policy and provide scoping for control objectives. establish actionable and Objectives are directly linked processes are designed and implementation, or use. standards, since control by avoiding, reducing, can be defendable evidence of Analytics are designed to
accountable requirements. to an industry-recognized operated to include appropriate testing is designed to measure transferring, or accepting the due care practices. facilitate decision-making,
Internal influencers focus on management’s desire for secure practice to align cybersecurity and privacy specific aspects of how risks. evaluate performance and
consistent, efficient and effective operations. This generally Policies are a business decision, cybersecurity and privacy with protections. standards are actually Procedures are generally the improve accountability
takes the form of: not a technical one. Technology accepted practices. The intent implemented. Questionnaires are often used to responsibility of the process through the collection,
- Business strategy determines how policies are is to establish sufficient determine if a control is met. owner / asset custodian to build analysis and reporting of
Guidelines Support Control testing is routinely While this is often a YES / NO and maintain, but are expected relevant performance-
- Goals & objectives (e.g., customer satisfaction / service implemented. Policies usually evidence of due diligence and
Applicable Standards Guidelines related data.
levels, budget constraints, quality targets, etc.) exist to satisfy an external due care to withstand used in pre-production testing option, approach is often fallible to include stakeholder oversight
requirement (e.g., law, scrutiny. to validate a project or system and does not provide proper to ensure applicable compliance
regulation and/or contract). has met a minimum level of insight into most risk. Assessing requirements are addressed. Good metrics are those that
security before it is authorized controls against a targeted level are SMART (Specific,
Internal Influencers for use in a production of process maturity provides a The result of a procedure is Measurable, Attainable,
Non-IT related corporate policies environment. Recurring more accurate insight into intended to satisfy a specific Repeatable, and Time-
Control
Board of Director (BoD) guidance / directives Policies Standards testing is often performed on existing risks, specific to the control. Procedures are also dependent)
Other internal requirements Every Objectives Every certain controls in order to control in question. commonly referred to as “control
Control Standard verify compliance with activities.”
Objective Maps To A statutory, regulatory and
External Influencers - Contractual Control
Maps To contractual obligations.
CMMC A Policy. Objective. Platform-Specific
PCI DSS Technology Every Control Maps
SOC 2 Configurations To A Standard Control
CMMC / PCI DSS / NIST CSF / Etc. Every Risk Maps
ISO 27001
Leading Practices Define Expectations

NIST Cybersecurity Framework

To A Control Questions
Other contractual requirements
For Due Care Expectations

Secure Baseline
External Influencers - Statutory Configurations Every Metric
Controls Maps To A Metrics
HIPAA / HITECH
Control
FACTA Secure baseline configurations
GLBA are technical in nature and
CCPA CCPA / HIPAA / SOX / Etc. specify the required configuration
SOX Every Procedure
settings for a defined technology
Data Protection Act (UK) platform. Leading guidance on
Maps To A Procedures
Other data protection laws Control
secure configurations come from
the following sources:
External Influencers - Regulatory - Center for Internet Security
NIST 800-171 (FAR & DFARS) - DISA STIGs
FedRAMP - Vendor recommendations
NIST 800-171 / FedRAMP / EU GDPR / Etc.
EU GDPR
Other International Data Protection Laws Digital Security Program (DSP) Digital Security
Program (DSP)
Written Information Security Program (WISP) Control Validation Cybersecurity Standardized
Testing (CVT) Operating Procedures (CSOP)
Secure Baseline
Configurations (SBC)

TOP-DOWN PROCESS FLOW OF CYBERSECURITY & P RIVACY GOVERNANCE CONCEPTS X

Internal & External Influencers primarily drive the Policies define high-level Control Objectives support Standards operationalize Guidelines provide useful Controls are assigned to Structuring controls as questions is Procedures operationalize Metrics provide evidence of an
development of cybersecurity and privacy policies. This expectations and provide Policies and provide scoping for Policies by providing organization- guidance that provides additional stakeholders to assign often used to in questionnaire Standards and Controls. The oversight function for the
requirements analysis is a component of governance, evidence of due diligence to Standards, based on industry- specific requirements that must content to help operationalize responsibilities in enforcing format to evaluate the output of Procedures is evidence cybersecurity and privacy
risk and compliance management practices to address applicable requirements recognized secure practices. be met. Standards. Standards. implementation of a control. of due care to demonstrate that program by measuring criteria
appropriately scope security program requirements. (internal and external). requirements are enforced. to determine performance.

Copyright © 2020 by ComplianceForge, LLC (ComplianceForge). All rights reserved.

All text, images, logos, trademarks and information contained in this document are the intellectual property of ComplianceForge, unless otherwise indicated. Modification of any content, including text and images, requires the prior written permission of ComplianceForge. Requests may be sent to support@complianceforge.com.