The Common controls framework (CCF): Taming the tangled web of audit, compliance and risk
It’s no secret that a growing array of standards and regulations govern cybersecurity, compliance and risk: Sarbanes Oxley (SOX) regulations, federal government standards, the EU’s GDPR rules, the NIST Cybersecurity Framework (CSF), the list goes on. But this alphabet soup is just one aspect of today’s challenges.
Many of these individual frameworks are growing and evolving as well. Take for example the SEC’s proposed rules on cybersecurity risk management. Multiply this by dozens of evolving frameworks and you have the equivalent of a crowded forest’s overlapping root systems.
For risk, audit, compliance and cybersecurity teams, it’s difficult to avoid getting tangled up in it all — and time-consuming to maintain adequate oversight and compliance.
SimpleRisk CEO and founder Josh Sokol described the travails on his company’s blog. He noted that just a few of the requirements for cybersecurity alone involve four separate frameworks:
- NIST CSF ID.GV-1
- ISO 27001 5.2
- AICPA SOC2 CC5.3
- PCI DSS 12.1
“This results in me testing the same thing more than once,” Sokol says.
Yet opportunity exists among the redundancies, taking the form of “significant overlap across many of these controls.” As Sokol realized: “What we see here is essentially four different ways of saying the same thing, so why would we go through the effort of testing this four different times in four different ways?”
Enter the common controls framework (CCF), addressing this challenge and many more.
The CCF: What It Is and Why It’s Essential
A CCF enables risk and audit teams to increase their visibility across the business, stay ahead of security demands and seamlessly communicate and collaborate between various risk, audit and compliance needs. But fully appreciating a CCF’s power starts with understanding what common controls are.
Broadly defined, common controls are the security checks, protective measures and safeguards across an organization, covering areas such as:
- Operations
- Cybersecurity
- Privacy
- Third-party risk
- Reputational risk
Compliance and cybersecurity technology firm cFocus Software defines common controls as “security controls that can support multiple information systems efficiently and effectively as a common capability. They typically define the foundation of a system security plan… using the Risk Management Framework (RMF).”
Types of controls fall under an expansive umbrella: management constraints, personnel security measures, and safeguards for physical structures like locks, fences, access control and ID badges, to name a few.
Technical security controls are one subset. They include the host of hardware, software, and firmware components designed to protect your digital assets, such as two-factor authentication and validity checks. These controls extend protection to shared infrastructure and networks whether it’s applications in the cloud, on-site or some combination of each.
A CCF brings order to it all. It aligns individual controls with identical requirements, unites all controls into a singular set and maps everything against an organization’s thresholds and requirements for audit and risk.
With a CCF in place, organizations can gain a more holistic view of regulations and standards and how they’re being addressed across the organization. Teams across the organization are now aligned on what needs to be done to meet regulatory requirements and effectively manage risk.
A CCF saves time, increases efficiency and fosters peace of mind in many ways. Such a framework enables cyber, audit, compliance and risk teams to:
- Tie controls back to the original regulatory requirements
- Reduce evidence collection needs, as data and reporting are already available
- Evaluate the impact of regulations on overall risk posture
- Create a common language for communicating on requirements
Things to Consider When Setting Up a CCF
A CCF is meant to increase efficiency and decrease workload and stress, not the other way around. To increase your odds of success, begin with a solid foundation. First, understand the most critical and vulnerable data assets across your business and regulatory landscape. Then identify both the controls you already have in place and any gaps related to your data assets.
With this information in hand, you’ll be ready to organize your controls into a centralized framework for managing risk.
Technology can help. Any robust solution should offer:
- Inventorying capabilities: As technology systems and regulatory frameworks evolve, you’ll need to continue taking a thorough inventory of risks and evaluating the controls you have in place for them
- Documentation: To maximize accuracy and efficiency and minimize gaps, it’s vital that all teams work from a single source of truth
- Tools for assessing effectiveness: Common controls are only valuable to your organization if they work effectively. Teams should be able to quickly address deficiencies with minimal labor, avoiding increased time and costs
- Continuous monitoring: Risk never sleeps, and issues often arise both outside of regular office hours and from overlooked areas of the business. To stay ahead of problems and keep executives informed, organizations need to monitor every day, every hour, everywhere
- Rapid reporting: When your solution does identify a weak control, you’ll want to be prepared and follow a plan of action that’s easy as well as comprehensive
When it comes to cyber risk and ever-evolving regulatory requirements, time is of the essence. To make every minute count, your controls framework needs to operate like a well-oiled machine, engaging everyone with a stake in the process through automated workflows, real-time alerts, and easily digestible reports.
In conclusion, even as regulatory frameworks and technology footprints evolve, risk, audit, compliance and cyber teams don’t have to get tangled up in the complexities. When implemented thoughtfully and thoroughly, a CCF can help, bringing all of the pieces together for more streamlined, efficient, accurate oversight, reporting and risk management.
Stay ahead of regulations and risk with Diligent IT Compliance. Our solution puts controls management tools and processes all in one place and aligns them to your Common Controls Framework, giving you visibility and risk management capabilities across the business. Learn more.
