Security & Privacy Governance Controls

Purpose

Bramble develops a security and privacy program that governs a documented, risk-based program that encompasses appropriate security and privacy principles to address all applicable statutory, regulatory and contractual obligations and measures success to ensure ongoing leadership management and risk managment.

Scope

All policies and standards having a direct impact to how Bramble carries out it’s IT/Security practices are in-scope for this control.

Ownership

The owner of this control is Security Compliance.

Controls

Control Number Control Title Control Statement Goal TOD TOE
GOV-01 Security & Privacy Governance Program Bramble Group Corp. has implemented mechanisms to facilitate cybersecurity and privacy governance security controls. Does the organization staff a function to centrally-govern cybersecurity and privacy controls? 1. Identify policies and procedures responsible for cybersecurity and privacy governance security controls.

2. Examine policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements.
1. Examine security controls to ensure coverage of applicable cybersecurity and privacy requirements are aligned with internal roles and external partners.

2. Inspect a sample of controlled documents to evidence they are reviewed and approved in accordance to TOD.
GOV-02 Publishing Security & Privacy Documentation Bramble Group Corp. has implemented mechanisms to establish, maintain and disseminate cybersecurity and privacy policies, standards and procedures. Does the organization establish, maintain and disseminate cybersecurity and privacy policies, standards and procedures? 1. Identify policies, standards and procedures responsible for maintaining and disseminating cybersecurity and privacy.

2. Examine policies, standards and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements.
1. Examine security controls to ensure coverage of applicable cybersecurity and privacy.

2. Interview key organizational personnel within Bramble conducting discussions for evidence that mechanisms exist to support the facilitation of cybersecurity and privacy.
GOV-03 Periodic Review & Update of Security & Privacy Program Bramble Group Corp. has implemented mechanisms to review the cybersecurity and privacy program, including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. Does the organization review cybersecurity and privacy policies, standards and procedures at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness? 1. Identify policies, standards and procedures responsible for maintaining cybersecurity and privacy.

2. Examine policies, standards and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements.
1. Examine security controls to ensure coverage for reviewing significant changes to ensure continuing suitability, adequacy and effectiveness of cybersecurity and privacy.

2. Interview key organizational personnel within Bramble conducting discussions for evidence that mechanisms exist to support the significant changes to the cybersecurity and privacy security controls.
GOV-04 Assigned Security & Privacy Responsibilities Bramble Group Corp. has implemented mechanisms to assign a qualified individual with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity and privacy program. Does the organization assign a qualified individual with the mission and resources to centrally-manage coordinate, develop, implement and maintain an enterprise-wide cybersecurity and privacy program? 1. Inspect security collateral for evidence of assignment of resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity and privacy program.

2. Interview security leadership to ensure the responsible party has the correct level of authority and autonomy to achieve program objectives.
1. Examine security controls to ensure coverage of applicable cybersecurity and privacy requirements are aligned with internal roles.

2. Interview key organizational personnel within Bramble conducting discussions for evidence that mechanisms exist to support the facilitation of cybersecurity and privacy.
GOV-05 Measures of Performance Bramble Group Corp. has implemented mechanisms of Key Performance Indicators (KPIs) assisting organizational management and Key Risk Indicators (KRIs) assisting senior management with developing, reporting and monitoring measures of performance and trend analysis of the cybersecurity and privacy program. Does the organization develop, report and monitor cybersecurity and privacy program measures of performance? 1. Examine organizational policies and procedures or other relevant documentation that support the developing, reporting and monitoring measures of performance and trend analysis.

2. Interview security leadership to ensure the responsible party has the correct level of authority and autonomy to achieve program objectives.

3. Examine policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements.
1. Examine relevant documentation that supports the facilitation of KPIs and KRIs.

2. Inspect a sample of controlled documents to evidence they are reviewed and approved in accordance to TOD.

3. Interview key organizational personnel within Bramble conducting discussions for evidence that mechanisms exist to support the facilitation of cybersecurity and privacy performance.
GOV-06 Contacts With Authorities Bramble Group Corp. has implemented mechanisms to identify and document appropriate contacts within relevant law enforcement and regulatory bodies. Does the organization identify and document appropriate contacts within relevant law enforcement and regulatory bodies? 1. Examine organizational policies and procedures for requirements of the appropriate contacts within relevant law enforcement and regulatory bodies.

2. Examine policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements.
1. Inspect formal policies, procedures or other relevant documentation to support the appropriate identification of contacts within law enforcement and regulatory bodies.

2. Interview key organizational personnel within Bramble conducting discussions for evidence that mechanisms exist to identify and document in accordance to TOD.
  • Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
  • Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.

Policy Reference