Adopting a baseline control set
So, how do we do that? If we look at the practical steps to adopt a baseline control set, I think the first thing you need to think about is whether we have a clear message from senior leadership that this is something we want to do. Fundamentally this is going to change the way that your organization manages controls. There needs to be an understanding that there will be a short- to medium-term pain to deliver this kind of program but also that this is the right thing for the organization to do.
The next thing to think about is defining scope. It’s probably not realistic to do everything at once, so we need to think about the two or three business-critical things that we want to bring together first. Then you will select those appropriate regulations, frameworks and standards to define a scope of what the program should do. And again, it might just be a few that you start with, but it means you can display to senior management that it’s working; you’ve got these controls and you’re really making it easy for the organization.
Then you can move to look at how you’re reviewing them in a more consistent way. Improvements and changes to controls can be rolled out across the entire business in a much more proactive way because you’re keeping on top of them. And because those controls are standardized, you can look at agreeing and defining metrics to monitor controls. It’s now a lot easier to use things like continuous control monitoring to see how these controls are operating throughout the year. We’re no longer waiting for ad hoc testing cycles to review them.
At SureCloud, we are framework agnostic. We support all the different frameworks out there for baseline control sets. We also allow you to directly map to frameworks, such as CSA, CIS NIST, etc. If you want to learn more about what we do and how you can simplify compliance in your organization, watch the full presentation here.