Create a matrix of controls on top and security layers on the left. When listing security layer or element, also identify whether it is a preventive or detective control. Control listings and security architecture maps should help.
Use clear, green, yellow, and red to identify which layers/control types meet completely, partially, or not meet the control requirements on top. The deliverable will be a control assessment.
In some cases, two or more controls may provide a partial protection individually, but together may meet fully the control requirements.
Check to see if there are unnecessary controls, and analyze to identify where a single layer may address a control cluster.
No comments:
Post a Comment