Hi, how are you.
one question about controls - How do you phrase your controls?
Let’s take CSF for example and you have a control in the framework like:
AC-7: Unsuccessful Logon Attempts
which is related to compliance item
PR.AA-03: Users, services, and hardware are authenticated
Do you:
Write a policy “Bruteforce Protection” where you define that after 5 attempts within 20n minutes, the account must be disabled for 24hrs
And add a control linked to this policy “Review AD Account Lockout Settings”
OR do you write a control:
“Disable Accounts after multiple attempts”, with a description “When there are 5 attempts within 20 minutes” …
And the acutal “review task” is the audit task itself?
It’s really the dealer’s choice on this - there’s no right answer to it. Given the mapping that you can produce with the compliance analysis module and others, the control wording should be susinct and descriptive enough to known what it does without having to click into it for details. The other thing to consider is if you have controls that may vary between locations, systems or other variables - you’ll want to have a naming convention to add that distinction.
In general, the control is something you can do that is measurable. The control is further defined in a related policy/procedure, so both are needed. The policy/procedures received reviews, the controls optionally have maintenances and internal audits.
Not every control needs a maintenance and internal audit, it just depends on what you decide needs them.