Introduction
The Define Control Frameworks page allows you to create and manage both frameworks and controls. If you are looking for some help getting started we offer several methods to obtain frameworks and controls with minimal effort. One way would be to use the Compliance Forge SCF Extra, this extra is offered free of charge to all SimpleRisk Instances that are registered. Once an instance is registered (Configure → Register & Upgrade) you will then be able to activate and use the Compliance Forge SCF which is a common controls framework containing 875 controls mapped to 148 frameworks. While the exact wording may vary from control to control the overall expectation set should provide you with a great start to getting a handle on governance in your organization. The other main method we offer is through the use of the paid extra Import/Export. Using this you have the ability to not only import frameworks and controls you may already have defined in a CSV format you can also make use of our one-click installs which includes a host of frameworks and controls to work with. Frameworks available for one-click install include:
AICPA 2017 SOC2 Trust Services Criteria (TSC)
CIS Critical Security Controls v7
CMMC v1.02 Maturity Level 1
CMMC v1.02 Maturity Level 2
CMMC v1.02 Maturity Level 3
CMMC v1.02 Maturity Level 4
CMMC v1.02 Maturity Level 5
FedRAMP Low Baseline Controls
FedRAMP Moderate Baseline Controls
FedRAMP High Baseline Controls
Information Security Regulation Version 2.0
NIST 800-53
NIST 800-171
NIST Cybersecurity Framework (CSF)
PCI Data Security Standard v3.2.1
With the basic usage of this page covered and ways to populate it now we will dive into the various features and capabilities of this page below.
Page Breakdown
This breakdown is divided into two sections Frameworks and Controls. Frameworks governs the status, usage, and descriptions of frameworks while the controls side
Frameworks
Frameworks - This tab allows you to see the Frameworks defined in the system. At this point it will do nothing as we are already looking at the Frameworks section of the Define Frameworks page.
Controls - This tab will take us to the controls section where we can define, manage, and delete controls. This section will be covered later in this document.
Add (“+”) - This button allows the user to create a new framework. You will be given the opportunity to assign a Name, A description, and any parent association it may have relating to another framework already defined in the system.
Active Frameworks - In this tab we display the currently active frameworks. These frameworks will be available for use in the Compliance section and any notifications based on testing that may be currently active will be sent as long as the framework remains active. You may click and drag frameworks from active to inactive or vice versa.
Inactive Frameworks - In this tab we display the inactive frameworks. These frameworks and their controls will not show up in any other section of SimpleRisk as long as they remain active. No notifications will be sent on their behalf for any tests they may have already had defined prior to deactivation. Frameworks can be clicked and dragged to the active tab from here.
Edit Framework - This button allows you to edit the details of an already defined framework. The controls associated with this framework are not displayed or configurable here that will be in the Controls tab and will be covered later in this document.
Delete Framework - This button allows the user to delete a framework. Deleting a framework does not inherently delete its controls. The mapping for that framework will simply be removed from the control.
Controls
Frameworks Tab - This tab will take you back to the frameworks tab allowing you create and manage frameworks.
Controls Tab - This tab would take you to the Controls tab allowing you to create and manage controls.
Control Class Filter - This filter allows you to make a selection of one or more control classes you would like to view. Once a selection is made only those control classes will be displayed.
Control Phase Filter - This filter allows you to make a selection of one or more control phases you would like to view. Once a selection is made only those control phases will be displayed.
Control Family Filter - This filter allows you to make a selection of one or more control families you would like to view. Once a selection is made only those control families will be displayed.
Control Owner Filter - This filter allows you to make a selection of one or more control owners you would like to view. Once a selection is made only those control owners will be displayed.
Control Framework Filter - This filter allows you to make a selection of one or more control frameworks you would like to view. Once a selection is made only those control frameworks will be displayed. Please note that only active frameworks will be displayed.
Control Priority Filter - This filter allows you to make a selection of one or more control priority levels you would like to view. Once a selection is made only those control priority levels will be displayed.
Control Type Filter - This dropdown allows you to select and filter down the controls displayed by the type. By default options are Standalone, Project, and Enterprise.
Control Status Filter - This filter allows you to narrow down results by the current pass/fail status of a given control.
Filter By Text - This allows you to search all fields associated with any control.
Add Control (“+”) - This will open the menu that allows you to enter the details of a new control. Any information entered is not saved until the save button is clicked.
Control Short Name - This field is a place to store the short form name of a control. This will be the name you will see the most often when referencing controls.
Control Long Name - This field can store a full length name and is less often display when referencing throughout SimpleRisk.
Control Number - Generally a section ID or identifier to determine the location of in depth information for a given control.
Control Owner - This field depicts the responsible party for knowledge and execution of a given control.
Current Control Maturity - This field allows the organization to save their current control maturity as expressed by the following options for levels of maturity: Not Performed, Performed, Documented, Managed, Reviewed, or Optimizing.
Desired Control Maturity - This field allows the organization to save their desired control maturity as expressed by the following options for levels of maturity: Not Performed, Performed, Documented, Managed, Reviewed, or Optimizing.
Mitigation Percent - This field allows you to store a percentage that when this control is applied to a mitigation for a risk this percentage will be applied to the inherent risk to get the residual risk score. If this value is not the highest mitigation percentage on a mitigation it will not be used. Only the single highest mitigation percentage is calculated into the residual risk score.
Control Type - You have three different types of control in SimpleRisk. Standalone, which have no further strings attached to their use. Project, which are controls used to keep projects on track and within budget. Enterprise, which has the ability to combine information gathered across multiple processes. With Enterprise selected the control is then tracked when an audit test or compliance assessment is failed this state is displayed on any mitigation this control is being used for and the mitigation percent provided by this control will be dropped to 0. if a question is performing a compliance assessment and passes the assessment, and the mapped control has both the “Project” and “Enterprise” control types selected for it, then the Control Validation Mitigation Percent in the Mitigation will be set to half of the Mitigation Percent value for that given control.
Description - This field is for the description of the control and its requirements.
Supplemental Guidance - This allows users to upload any supporting information related to the control. The file formats supported are dictated by the extensions and file types set in Configure → Settings → File Upload tab.
Control Priority - This field allows you to associate a level priority with for a control.
Control Class - This field offers the ability to further define and categorize your controls by class. The available values can be updated via the Add & Remove Values page in the Configure menu at the top.
Control Phase - This field allows you to store a control phase. The default selections are Physical, Procedural, Technical, Legal & Regulatory. New options can be added via the Add & Remove page found in the Configure menu at the top.
Control Family - This field allows you to categorize a control based on family.
Control Status - This field is for recording the current pass/fail status of a control. This is the value you will see updated when the Control Type is Enterprise when an assessment compliance test is failed or passed.
Mapped Frameworks - This section allows you to click the add “+” button to map the control to an already existing framework. The system allows for users to select multiple frameworks for a single control to map to and lets you label them with a control number to make cataloging controls spanning multiple frameworks much easier.
Summary
The Governance Define Frameworks page allows you to add and manage your Control Frameworks in SimpleRisk. This page should have served to answer all questions related to the Define Frameworks page but if you feel anything has been missed or just seek further clarification please reach out to us at support@simplerisk.com.