Security controls in the governance framework - AWS Prescriptive Guidance

Security controls in the governance framework

It is important to plan from a foundational level. How does one start? The following figure shows how you can build a security governance strategy based on a policy, control objectives, standards, and security controls.

The layers of a security governance framework.

The following are the hierarchical components of a governance strategy for security:

  • Policy – A policy is the foundation of any cybersecurity governance strategy. It is a document that states the expectations of the company, such as statutory, regulatory, or contractual obligations that it must meet. Policies can vary by industry and region.

  • Control objectivesControl objectives are targets, such as industry-recognized best practices, that help you meet the intent of a policy. For cloud computing, many companies adopt the Cloud Controls Matrix (CCM) (Cloud Security Alliance website), which is a framework of cybersecurity control objectives.

  • StandardsStandards are formally established requirements that satisfy a control objective. Standards might include processes, actions, or configurations, and they are quantifiable so that you can measure performance against the standard.

  • Security controlsSecurity controls are the technical or administrative mechanisms you put in place to implement the standards. All security controls map to standards, but not all standards map to security controls. Testing of security controls is designed to monitor and measure whether you are effectively meeting the defined standards.

This guide focuses on how to design and implement common types of security controls in the AWS Cloud.