Spheric Shield

TM

TM

Finally, control relief !

Security Control Frameworks aboundit is easy to define the "governing scope" of control objectives to comply with, but that is where the easy part ends and the pain begins ...

 

...identifying, interpreting, tracking, mapping, visualizing, assessing & communicating security control at actual and objectives levels

has been manual, slow, costly and painful, until now!

Introducing the Spheric Shield

Security Control Management System

Internal
Control 
Framework

Aligned to Your Organization

Out of scarcity of resources, organizations may select as their internal enterprise control framework an external framework that is well known, tested and widely accepted.

Each provides a wealth of security best practices. There is nothing "wrong" with these control frameworks except they are not intrinsically aligned to your business nature and specific risk profile which highly depends on the nature of your assets, activities, and plans. Why would one not do this when one has to ultimately demonstrate fulfillment to these controls?  Avoiding managing another framework when complying to one is onerous enough. This is generally referred to as security-by-compliance and it is generally said being compliant does not mean one is secure. 

Security aligned to your nature

When the burden of multiple frameworks is removed, the organization is freed up to create an internal security control framework optimized to their intrinsic character and future goals. When you need to comply, select the standard or regulation, click Project and you're done. 

Secure - by - Design!  Compliance Done!

In an Enterprise Security Control Framework

Organizations sometimes choose as their internal framework an external standard like the NIST-CSF or regulation like FFIEC or PCI, perhaps to avoid having to manage yet another framework when complying to one is onerous. This is when compliance drives security. 

If this burden is removed, the organization is freed up to create an internal security control framework optimized to their risk profile. 

The illustration to the left shows an internal control framework based on a set Management Security Objectives who's assurance level is driven by business risks.

Shield Internal Workspace

Desktop Selection: Internal Control Frameworks: 
Management Security Objectives, level 1

The business is busy striving to grow net worth, maintain current revenue and achieve its growth targets. These priorities are translated into a set of Management Business Objectives and managed through to success.

 

These MBOs should then drive a set of Management Security Objectives (MSO) designed to protect these business objectives. These MSOs, an increasing level of detail, form the basis of your internal risk-managed optimized framework. The DeskTop illustrates the Level 1 of an internal security framework called Management Security Objectives.

External Standards &
Regulations

  • NIST-CSF 1.1 or NIST 800-53 r4 US gov standards

  • International ISO 27001/2: 2013 standard

  • Center for Internet Security - Critical Security Controls 7 & Benchmarks Standard 

  • International Payment Card Industry Data Security Standard (PCI-DSS: 3.2) regulation

  • Ingest or create any framework

Depending on the nature of the business, a set of one or more applicable regulations become your Mandatory Security Control Frameworks to which compliance is mandatory. In addition to your mandatory controls, one or more Standards like NIST CSF and 853 or industry associations like the Center for Internet Security Critical Security Controls may be leveraged as "should" control guidance.  These frameworks together with your internal framework of "Committed" controls collectively form your control space. 

Shield External Workspace

Desktop Selection: External Control Frameworks: 
Framework Selected: NIST CSF 1.1 

NIST CSF 1.1: Level 1, 2 & 3

Desktop Selection: External Control Frameworks: 
Framework Selected: NIST C853 r4 

NIST 800-53 ​Level 1, 2 & 3

Mapping between External Standards &
Regulations

A number of sources, some authoritative provide cross-framework maps between controls in one framework and controls in another. These two controls maps cannot be "deemed" equivalent and must be evaluated for completeness and coverage.

 

This mapping is normally completed at high levels and does not deal with any inconsistencies or gaps between the two mapped controls. 

Seeing the relationships between control framework objectives 

Shield External Workspace

Desktop: Links to External Control Frameworks 

Select anchor framework & "mapped into" framework to see connections: 
Mappings: NIST 800-53 into NIST-CSF

Mappings: NIST CSF into NIST853

Data View: NIST 853 L3 control Data View hot link. Provides all object information including all links to assets and controls.

Inter-Framework
Mapping Gap Analysis

Coverage gaps between frameworks

Shield Bi-View of Mapping

Desktop Selection: Links to External Control Frameworks

Bi-View: Two frameworks Inverse Mapping - see the gaps

Create a bi-view and see gaps in map coverage between two frameworks. 
Maps between NIST CSF and NIST 800-53 

Create a ruler,
measure controls for different Perspective

Metrics

Once the control space is clearly defined, they can be evaluated for different properties called Perspectives which include Efficacy, Coverage, and Health. The ability to visualize security controls frameworks at different levels permits qualitative high-level evaluations to be conducted quickly and more detailed quantitative evaluations to be conducted in high risk or regulated areas. 

Measure what you can see

Shield Evaluation Workspace

Desktop Selection: Control Evaluation for Audit & Compliance

ISO 27001 13 Framework Evaluated @ level 1

Perspective: Effectiveness

Attribute Libary View: Effectiveness Attributes make up Ruler

Select the security control framework to be evaluated, select the control level to be rated, define applicable rulers, start evaluating - instant results.

Perspective: Effectiveness

Rated at level 2, Attribute Libary View

Spheric Shield

Protect Once, Comply Many

Collect Artifacts & Evidence of State

I can show you 

The process of creating rulers with increasing levels of contextual precision and conducting an evaluation of one or more perspectives should be substantiated by justification comments and files and links. 

Functionality included in Sensitive Shield License only

Shield Audit & Compliance Workspace

Desktop Selection: Controls

Perspective: Effectiveness

Framework: ISO 27001 13 Evaluated @ level 2

Data View: Level 2 Control: Information Security Policy

Artifacts View: Upload and add to existing

Rate Control Objectives,
Aggregate into Indices for Reporting 

The process of creating any contextual ruler with increasing levels of precision and conducting an evaluation of one or more perspectives should be substantiated by justification comments, files, and links. 

I can show you how I justified it

Functionality included in Sensitive Shield License only

Shield Audit & Assessment

Desktop Selection: Controls

Perspective: Effectiveness

Framework: ISO 27001 13 Evaluated @ level 2

Data View: Level 2 Control: Information Security Policy

Evaluation View: rated @ 20%

Project ratings into any other Framework for Compliance

Recast the ratings into another framework

Once the effort has been made to document and assess the state-of-control in one reference control framework, the ability to recast the assessment results into any other framework for which there are provided mappings. 

 

This function is called Projection.

Shield Compliance Workspace

Define Rulers to Measure Metrics, Select What to Measure, Evaluate, Project, Done

Perspective: Effectiveness

Source Framework: NIST CSF 1.1 rated @ level 3

Right View: Depth View

Perspective: Effectiveness

Source Framework: NIST CSF 1.1 rated @ level 3

Projection View: ... into controls of ISO 27001 13

Perspective: Effectiveness

Source Framework: NIST CSF 1.1 rated @ level 3

Projection View: ... into controls of NIST 800-53 r4

Please let me give you a demo? 
If you would rather test drive immediately and not talk to anyone.