Recently we’ve received a number of requests for “Key Controls” from auditors or examiners for the financial institutions we work with. Fortunately, for those that have our Risk Management module, our CySPOT™ platform makes this as simple as running a report.
But for those that don’t have that service, there can be some confusion on what a Key Control is and what should be reported to fulfill this request. This blog post is meant to provide some clarity on the subject and provide 5 steps that you can take to maintain your own list of key controls.
What even is a Key Control?
ISACA defines a control as, “any device, system, procedure, or process that regulates some operational activity.” In the information security industry, we toss the term around daily.
From that definition, we can describe a Key Control as any device, system, procedure, or process that regulates some operational activity that must function properly for risk to be reduced to an acceptable level.
Simply put, Key Controls are the controls for a given system that are the most important to keep that information asset safe. Keep in mind, Key Controls are not necessarily universal or enterprise-wide. A Key Control for one asset may not be a Key Control for another. But that’s where the risk assessment comes into play – more on that later.
Some examples of Key Controls (certainly not exhaustive):
- Dual Control
- Separation of Duties
- Change Control Process
- Vendor Due Diligence
- Redundant Systems
- Backups
- DR/BC Plans
- DR/BCP Testing
- Encryption
- Strong Passwords
- MFA
- User Access Provisioning & Reviews
- Admin Activity Logging
- Disable Local Admins
- Account Lockouts
- Access Logging
- Idle Session Timeout
- Vulnerability Management
- Patching and Updates
- SOC/SIEM Monitoring
- Email Scanning
- Employee Training
- Mobile Device Management
- Secure Media Destruction
- Web Gateway Filtering
- Firewall
- Antivirus w/ Updates and Monitoring
- USB Restrictions
- Remote Access Controls / Encryption
Why do auditors and examiners ask for Key Controls?
There are several reasons for this, the first being that it’s a great way to get a better idea of the risk profile of an organization. An experienced auditor/examiner can at-a-glance look for Key Controls on certain assets and, if some are missing, begin to ask more probing questions about the specific risk in that area (i.e. if half the items from the list above don’t show up on your Key Controls Report, it may raise a concern.)
The second reason, and the more important of the 2 is that Key Controls should be tested as part of a solid audit program and examiners may choose to randomly test some as well.
What are the 5 steps to utilize Key Controls in your financial institution?
- Do a risk assessment. This is the most important step, so don’t miss this one. A general, enterprise-level won’t cut it here. You will get much greater value from an “Asset-based” Risk Assessment because it forces you to go deeper. Inventory your assets, identify the threats that each of the assets face, and then inventory the controls you have in place that is tied specifically to that threat on that asset.
- Identify your Key Controls. As you go through the risk assessment process, key controls will begin to show up as the ones that provide the greatest reduction or risk in your environment. As said before, Key Controls are based on the asset, not the organization as a whole, so they will vary from one another depending on the relevant threats.
- Communicate them with your auditor. This can be part of the Audit Risk Assessment (separate from #1 above), or as part of the general scoping conversation. BUT IT needs to happen prior to the auditor showing up to your doorstep. When the Key Controls are shared with the auditor in a proactive way, they can plan accordingly and perform effective testing. When they are shared last minute, proper testing in the scheduled timeframe is much harder for the audit team.
- Test your Key Controls. They are your most important controls, wouldn’t you want to know if they are working – or, if they are not? Make sure your auditors understand that you want Key Controls tested and make sure your staff is cooperative with the idea. This can be hard, because it takes a certain amount of vulnerability – it requires being honest and open with auditors and your management team to make your Information Security Program better, but it’s worth it.
- Update your Risk Assessment. Make sure to take the time to go back and update your risk assessment based on the results. If the audit found a key control to be deficient, you may be carrying more residual risk than was previously reported. Do you need to remedy something with that Key Control, find a new provider, or maybe even implement compensating secondary controls?
I hope you found this post helpful. If you have any questions on Key Controls or performing an asset-based risk assessment let us know at support@bedelsecurity.com.