Governance, Risk and Compliance
A. ASSET MANAGEMENT
All the components of the solution such as infrastructure assets, network devices or any physical or logical systems are properly classified, recorded, updated and removed on a periodical basis. In order for asset management to be effective, all assets must be up to date throughout their lifecycle.
B. LEGAL AND REGULATORY
Ensuring compliance against all relevant national laws, legal requirements and/or industry regulations is a critical step in any project. This subcomponent is divided into 2 categories: Supply Chain and Regulations.
C. BUSINESS GOVERNANCE
Business governance encompasses the set of both responsibilities and practices exercised by executive management with the main goal of providing the business with a strategic direction, while at the same time ensuring that objectives are achieved, that risks are managed and captured appropriately, and finally, verifying that resources are used responsibly. This subcomponent is divided into 4 categories: Strategy, Policies, Standards and Patterns
Information Security Controls
A. IDENTITY AND ACCESS
This subcomponent covers all the mechanisms and controls to allow, or revoke, the right to access or perform an action against a system. It deals in essence with who or what gets access to specific assets in defined locations to specific systems. This includes any type of services logon authentication to underlying infrastructure, network devices, endpoint devices among many others that require the usage of user and admin accounts. Identity and Access plays a critical part in ensuring security by controlling access. This subcomponent is divided into 4 categories: Basic Authentication, Strong Authentication, Account Auditing and Remote Access.
B. SYSTEM ARCHITECTURE
This subcomponent focusses on all the measures and security controls that a typical solution must have at a minimum. It has as a goal to safeguard the assets, the communication to it and to other systems, how data is protected both at rest and in transit, passing through how the application is developed, and having a broad review through several key security principles. This component is divided into 7 key items:
System Administration, Network Security, Data in Transit, Data at Rest, Application Security, Mobile Systems and Security Principles.
C. SECURE CONFIGURATION
This subcomponent refers to all the security measures and controls in place required to build and manage systems, reducing vulnerabilities and threats to them. This subcomponent is divided into 4 categories: Baselines, Change Control, Patching Procedures and Vulnerability Management.
Resilience and Disaster Recovery
A. RESILIENCE ARCHITECTURE
Resilience Architecture ensures the ability to adapt and recover automatically to unknown changes in the system, either through a threat or due to software or hardware failures. A good design will ensure the solution is resilient and able to withstand or minimize disruptions.
B. BACKUP STRATEGY
Backups are a critical piece of any system which are in essence, a duplicate copy stored in the primary working system. The backups can be for either data or configuration, both required to rebuild the system if needed. They ensure the continuous availability and reduce downtimes.
C. INCIDENT AND RECOVERY
This subcomponent deals with the process to manage any incidents that could disrupt operations of the business. The incidents could be cyber-attacks, data breaches, or natural disasters. The ability to detect incidents and to rebuild core system is fundamental for an organization to survive. This component is divided into 3 categories:Logging and Monitoring, Incident Management and Recovery Process.