Secure Engineering & Architecture Controls
Purpose
Bramble aligns cybersecurity engineering and architecture decisions with the overall technology architectural strategy and industry-recognized leading practices to secure networked environments.
Scope
This control applies to all systems within the production environment. The production environment includes all endpoints and cloud assets used in hosting Brmbl.io and its subdomains. This may include third-party systems that support the business of Brmbl.io.
Ownership
This control is owned by Security Operations.
Controls
| Control Number | Control Title | Control Statement | Goal | TOD | TOE |
|---|---|---|---|---|---|
| SEA-01 | Secure Engineering Principles | Bramble Group Corp. has implemented mechanisms to centrally-manage organization-wide management and implementation of industry-recognized cybersecurity and privacy practices and other related processes in the specification, design, development, implementation and modification of systems and services. | Does the organization facilitate the implementation of industry-recognized security and privacy practices in the specification, design, development, implementation and modification of systems and services? | 1. Identify industry-recognized cybersecurity and privacy practices utilized for the design, development, implementation and modification of systems and services. 2. Examine the policies, procedures and related documents outlining the organization-wide implementation and management of baseline secure engineering practices. |
1. Examine policies, procedures and related documentation for baseline security practices, implementation and management during the design, development, implementation and modification of the system or service (Change Management practices). 2. Examine the change management practices for evidence they follow the industry-recognized cybersecurity and privacy standards. |
| SEA-02 | Alignment With Enterprise Architecture | Bramble Group Corp. has implemented mechanisms to develop an enterprise architecture, aligned with industry-recognized leading practices, with consideration for cybersecurity and privacy principles that addresses risk to organizational operations, assets, individuals, and other organizations. | Does the organization develop an enterprise architecture, aligned with industry-recognized leading practices, with consideration for cybersecurity and privacy principles that addresses risk to organizational operations, assets, individuals, other organizations? | 1. Examine the policies, procedures and related documents associated with the evaluation and implementation of an organizational level enterprise architecture. Including considerations for: industry-recognized leading practices; cybersecurity and privacy principles; organizational operations; Assets; Individuals; and other organizations. | 1. Examine policies, procedures, related documents, risk assessments and control activities that support the implementation and considerations outlined in the ToD. |
- Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
- Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.