Project & Resource Management Controls
Bramble utilizes a risk-based approach to ensures that security-related projects have both resource and project/program management support to ensure successful project execution and to alleviate foreseeable governance, risk and compliance roadblocks.
Scope
This control applies to all Bramble production systems.
Ownership
This control is owned by the Security Team.
Controls
| Control Number | Control Title | Control Statement | Goal | TOD | TOE |
|---|---|---|---|---|---|
| PRM-01 | Security Portfolio Management | Bramble Group Corp. has implemented mechanisms for security and privacy-related resource planning controls that define a viable plan for achieving cybersecurity & privacy objectives. | Does the organization facilitate the implementation of security and privacy-related resource planning controls? | 1. Identify policies and procedures responsible for defining a plan for cybersecurity, risk and privacy objectives. 2. Examine the plan for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements. |
1. Examine plan for review and approval based on identified cadence (annual, quarter etc). 2. Examine plan for coverage of cybersecurity, risk and privacy objectives. |
| PRM-02 | Security & Privacy Resource Management | Bramble Group Corp. has implemented mechanisms to address all capital planning and investment requests, including the resources needed to implement the security & privacy programs and documents all exceptions to this requirement. | Does the organization address all capital planning and investment requests, including the resources needed to implement the security & privacy programs and documents all exceptions to this requirement? | 1. Examine the policies, procedures and related documents associated with capital planning and investment requests including but not limited to: security and privacy programs financial reporting objectives non financial reporting objectives. 2. Examine the policies, procedures and related documents associated with the exception process. |
1. Examine planning and investment requests during the examination period for evidence to support requests included the attributes outlined in ToD. 2. Examine all exceptions during the examination period for evidence the exception process was followed. |
| PRM-03 | Allocation of Resources | Bramble Group Corp. has implemented mechanisms to identify and allocate resources for management, operational, technical and privacy requirements within business process planning for projects / initiatives. | Does the organization identify and allocate resources for management, operational, technical and privacy requirements within business process planning for projects / initiatives? | 1. Examine the policies, procedures and related documents associated with business process planning and initiatives as it relates to resource allocation for the below requirements: Management Operational Technical privacy. 2. Examine the policies, procedures and related documents for internal and external communication requirements. |
1. Examine business plans during the examination period for evidence to support initiatives included the attributes outlined in ToD. 2. Examine communications during the examination period for evidence business plans related to support the initiatives were communicated to internal and external users as applicable. |
| PRM-04 | Security & Privacy In Project Management | Bramble Group Corp. has implemented mechanisms to assess security and privacy controls in system project development to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the requirements. | Does the organization assess security and privacy controls in system project development to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the requirements? | 1. Examine the policies, procedures and related documents associated with security and privacy control activities and testing for evidence that control activities and testing are being conducted correctly, operating as intended and producing the desired results based on internal and external requirements. | 1. Examine security and privacy control activities during the examination period. 2. Examine activities for the below to confirm they follow necessary policies, procedures and associated documents: Testing methods Operational methods Exception process Observation process Continuous monitoring. |
| PRM-05 | Security & Privacy Requirements Definition | Bramble Group Corp. has implemented mechanisms to identify critical system components and functions by performing a criticality analysis for critical systems, system components or services at pre-defined decision points in the Secure Development Life Cycle (SDLC). | Does the organization identify critical system components and functions by performing a criticality analysis for critical systems, system components or services at pre-defined decision points in the Secure Development Life Cycle (SDLC)? | 1. Examine the policies, procedures and related documents associated with the Secure Development Life Cycle (SDLC). 2. Examine the SDLC for evidence of: Criticality analysis System components and service Dependencies and critical functions Resilience requirements Risk assessment. |
1. Pull a population of all SDLC critical system analysis. 2. Examine a sample set of SDLC analyses for evidence of ToD attributes. |
| PRM-06 | Business Process Definition | Bramble Group Corp. has implemented mechanisms to define business processes with consideration for cybersecurity and privacy that determines: ▪ The resulting risk to organizational operations, assets, individuals and other organizations; and ▪ Information protection needs arising from the defined business processes and revises the processes as necessary, until an achievable set of protection needs is obtained. | Does the organization define business processes with consideration for cybersecurity and privacy that determines: - The resulting risk to organizational operations, assets, individuals and other organizations; and - Information protection needs arising from the defined business processes and revises the processes as necessary, until an achievable set of protection needs is obtained? |
1. Examine the policies, procedures and related documents associated with the documentation and business process associated with cybersecurity and privacy considerations. Specifically as it relates to: Risk Information protection. 2. Examine the review and approval of the associated policies, procedures and documentation as defined (annual, quarter etc.). |
1. Examine completed business process reviews specifically for cybersecurity and privacy during the examination period. 2. Examine the review for evidence that attributes outlined in the ToD were considered, developed, documented, approved and tested (as applicable). |
| PRM-07 | Secure Development Life Cycle (SDLC) Management | Bramble Group Corp. has implemented mechanisms to ensure changes to systems within the Secure Development Life Cycle (SDLC) are controlled through formal change control procedures. | Does the organization ensure changes to systems within the Secure Development Life Cycle (SDLC) are controlled through formal change control procedures? | 1. Inquire of appropriate personnel to determine the process for program development and making significant changes to production. 2. Inspect the (Change Management/Program Development policy) to determine the process for making significant changes to production. Data Migration Assessment 1. Inquire of appropriate personnel to determine the process for migrating and validating data migrated as part of program development is complete and accurate. 2. Inspect the (Data Migration/Project plan, system configuration, etc.) to determine the process for migrating and validating data migrated as part of program development is complete and accurate. |
1. Obtain and inspect a population of all significant changes that were introduced into production and had business reliance during the period under audit. 2. Select an annualized sample of changes that occurred during the period to determine if they were tested and approved in line with the policy and all known issues were communicated to relevant business and IT stakeholders. 3. Obtain and inspect documentation (i.e merge requests/issues) that each project was sufficiently tested in line with the policy by all relevant business and IT stakeholders. 4. Obtain and inspect documentation that all known issues were captured and communicated to the relevant stakeholders prior to final go-no go decisions. 5. Obtain and inspect documentation (i.e merge requests/issues) that each sampled change was approved for go-live in line with the policy by all relevant business and IT stakeholders. Data Migration Assessment 1. Obtain and inspect evidence that the data migration was completed and reviewed by management per the planned migration procedures. 2. Validate that the data was transferred completely and accurately from System A to System B and any discrepancies were researched and resolved per the planned migration procedures. |
- Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
- Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.