Control Assessments

Once Compliance professionals understand their organization’s Obligations and the resultant Control Objectives, they must measure existing security controls against Control Objectives in order to determine compliance. Assessment operates similarly to what we discussed in the Governance lesson meaning that existing security controls are measured against Control Objectives in function and in time. As an example, if a Control Objective requires that firewall logs are checked daily, the organization’s security control should ensure that a) firewall logs are checked (this is the function) and b) they are checked daily (this is the time). What is important here is that the Compliance professional takes caution to fully understand the needs of the Control Objective and the existing function of certain security controls.

In some instances, an organization’s controls may meet the needs of more than one Control Objective. For instance, one Obligation may have a Control Objective that expects your organization to continuously monitor firewall rules for unauthorized changes. A second Obligation may have a Control Objective that expects your organization to audit changes at least 1 time per week for unauthorized changes. If your organization has a firewall control in which the security team is alerted every time any firewall change is made, it meets the requirements of both Control Objectives.

Finally, there can also be what are described as compensating controls. Compensating controls are controls that may not meet the letter of a Compliance Objective but may meet it in spirit. For instance, if a Control Objective demands that employees of your organization are not allowed to access the Internet for fear of unauthorized data loss and your organization does allow Internet access, you don’t meet the Control Objective. However, you may have other controls such as data loss prevention mechanisms and web-filtering software in place that help prevent data loss. These controls may compensate for not meeting the Control Objective. These situations, however, typically require an independent 3rd party opinion as to whether the controls effectively compensate.