II.C.4     Control Implementation

Management should implement controls that align security with the nature of the institution's operations and strategic direction. Based on the institution's risk assessment, the controls should include, but may not be limited to, patch management, asset and configuration management, vulnerability scanning and penetration testing, end-point security, resilience controls, logging and monitoring, and secure software development (including third-party software development). In implementing controls, management should ensure it has the necessary resources, personnel training, and testing to maximize the effectiveness of the controls.

The level at which controls are implemented should depend on the institution's size, complexity, and risk profile, but all institutions should implement appropriate controls. In light of increasing cybersecurity risks, management should implement risk-based controls for managing cybersecurity threats and vulnerabilities, such as interconnectivity risk. Management should review and update the security controls as necessary depending on changes to the internal and external operating environment, technologies, business processes, and other factors.

The institution can reference one or more recognized technology frameworks and industry standards. Several organizations have published control listings in addition to implementation guidance, including the following:

  • NIST 800 series of publications. These publications provide descriptions of some management processes and technical guidance on many individual controls.
  • Control Objectives for Information and Related Technology (COBIT). COBIT provides a broad and deep framework for governance and management of enterprise IT.
  • IT Infrastructure Library (ITIL). ITIL provides a list of recognized practices for IT service management.
  • International Organization for Standardization (ISO)ISO is an independent, non-governmental, international organization that brings together experts to share knowledge and develop voluntary, consensus-based, market-relevant international standards. 27000 series. The ISO 27000 series provides control standards specific to information security.
  • Industry publications and sources.Some industry publications or organizations that provide security-related information include the ISACA Journal, SANS Institute, the Financial Services Roundtable, the Council on Cybersecurity, and the Open Web Application Security Project. Management and staff may find these useful for discrete controls and processes.
  • Vendor-provided publications, bulletin boards, and user groups. Vendors often publish recommendations for securing their products. Additionally, some offer bulletin boards and user groups for clients to interact among themselves.



Previous Section
II.C.3 Control Types
Next Section
II.C.5 Inventory and Classification of Assets