Solving a unique compliance problem is the driving reason for cybersecurity planning processes (e.g., How do I comply with NIST 800-171 R3?).
ComplianceForge created the Compliance Decision Making Process (CDMP) as a free guide to help compliance staff come up with viable Courses of Action (COA) based on:
The CDMP is designed to be simple and efficient. It identifies sub-steps, as well as inputs and outputs associated with each step in the decision making process. The five (5) steps are:
The PDF also includes a practical example of using the CDMP for NIST 800-171 compliance.
Compliance with cybersecurity and date protection laws, regulations and contractual obligations requires a proactive approach to be efficient and effective. Proactive compliance can be thought of as having four (4) distinct components, which comes from the broader Military Decision Making Process (MDMP) used by the US military. The common military planning acronym associated with this is DIRT:
Getting to the point of making a sound decision is built off of multiple supporting processes. In this document, we co-op concepts from DIRT & MDMP with a cybersecurity compliance-focused Compliance Decision Making Process (CDMP). This document helps define a viable process to tackle compliance-related decision making to minimize risk and cost that your organization is exposed to with cybersecurity & data protection compliance efforts.
There are many compliance-related decisions that organizations face. Decisions are often “forks in the road” where there is a binary option to take one path or the other, but not both. This is where the decisions are expected to be based on compliance intent and risk analysis. Examples of decisions that impact compliance operations include:
The compliance intent captures your organization’s executive leadership’s intent for compliance operations. Decisions should be formed, based on compliance intent. Compliance intent:
A clear understanding of compliance intent directly influences risk analysis. Understanding the nuances of compliance-related risk can lead to better decision making and that can lead to proper technology alignment, less unexpected change, etc. Examples of understanding risk include:
Compliance operations are rarely static. Identifying triggers in the compliance landscape can refine risk management analysis and lead to proper decision making that stays inline with compliance intent. Examples of compliance triggers include:
The CDMP clearly shows you how to make compliance-related decision making efficient and straightforward to develop viable COAs. However, there is an absolute need for risk management practices to exist and be understood by the stakeholders involved in compliance decision making. The CDMP includes a section on baselining risk management terminology and understanding the concept of negligence.
The alternative to risk management is crisis management. The information on this page exists to provide practical risk management guidance for cybersecurity and data privacy practitioners, specifically focused on how to align risk appetite, risk tolerance and risk thresholds with an organization's strategic, operational and tactical business planning activities. What is presented is a holistic approach that has practical applications. There are a lot of terms in cybersecurity and three (3) of the top misused terms are:
The concepts of risk appetite, risk tolerance and risk thresholds are not independent terms that are meant to stand by themselves, since they share a dependency that needs to be understood to create a coherent risk management strategy. Likewise, those terms are also directly linked to strategic, operational and tactical decision making.
Organizations invest in cybersecurity and data privacy as a necessity. This necessity is driven in large part by statutory, regulatory and contractual requirements. It is also driven by the desire to protect the organization's brand from acts that would harm its public image. Regardless of the reason, the base expectation is that those charged with developing, implementing and governing the cybersecurity and data privacy functions are doing so in a reasonable manner that would withstand scrutiny that could take the form as an external auditor, regulator or prosecuting attorney.
Secure Controls Framework (SCF)
Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...
ComplianceForge - NIST 800-171 & CMMC
NIST 800-171 R2 & R3 / CMMC 2.0 Editable & Affordable Cybersecurity Documentation This short product walkthrough video is designed to give a brief overview about what the NCP is to help answer common questions we receive. Includes...
The NIST Cybersecurity Framework (NIST CSF) is commonly used “cybersecurity best practice” for organ...
Cybersecurity Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing and mit...
Determining the scope of controls (e.g., assessment boundary) is different than determining control...
NIST 800-171 focuses on protecting Controlled Unclassified Information (CUI) anywhere it is stored,...
