Discover more from PolicyCo’s Newsletter
The Ambiguity of Compliance Terms
According to Tenable, over 44% of organizations use more than one security framework. Mapping controls from one framework to another is complex and adding to the complexity is the ambiguity of terms across the frameworks. Some frameworks have defined controls to follow, while others offer guidelines. At PolicyCo, we have created a mapping system that standardizes the terminology allowing us to easily map more than one framework to a procedure, policy, or piece of evidence. This required us to dissect the nuanced differences between the security frameworks allowing an organization to follow multiple frameworks while reducing the redundancy across an organization’s cybersecurity program. Below is the glossary of terms specific to mapping security frameworks back to the evidence, policies, and procedures.
Standards: Specifications that similar organizations can use to ensure materials, products, processes, and services meet industry best practices
Clauses: Sections containing specific requirements and processes.
Controls: Safeguards to reduce security risks
Criteria: An individual specification
Category: Sections containing a set of specific criteria related to an aspect of the security program
Internal Control: An organization’s objective to protect information security
Category: Section containing specifications and objectives for information security and risk management
Domain: Organized sections based on standard IT organizational structure
Objective: Statement of the intended result
Specification: Policies, procedures, guidelines, practices, or organizational structures, which can be operational, technical, or legal
Reference: An individual requirement/ control
Function: Organized cybersecurity activities and outcomes
Category: A subdivision of a function that contains cybersecurity objectives
Subcategory: Outcome driven statements and security controls
Informative References: Detailed technical resources used to support implementing subcategories
Goal: Organized section of requirements that state the intended result
Requirement: Organized sections of security protocols/controls for securing data
Sub-requirements: The specific security control for obtaining data
Compensating Control: A similar method for adhering to the requirement utilized when an entity cannot meet the requirement as expressly stated
Guidance: The core purpose of the requirement and additional content to assist in the definition of the requirement
Manage Multiple Frameworks with PolicyCo
Cybersecurity compliance can be overwhelming; hopefully, we’ve cleared up some confusion on the language used by some of the most popular frameworks. If you are struggling with managing multiple cybersecurity frameworks, PolicyCo can help. Our platform streamlines compliance processes across frameworks for organizations, and our vCISO team has extensive experience developing cohesive policy language from a variety of framework controls. Contact us for more information.
Originally published at https://policyco.io on December 14, 2021.