Security Operations Controls

Purpose

Bramble ensures appropriate resources and a management structure exists to enable the service delivery of cybersecurity operations.

Scope

Security Operations is performed at a level of precision that allows for the identification of security risks across the organization.

Ownership

The owner of this control is Field Security Team.

Controls

Control Number Control Title Control Statement Goal TOD TOE
OPS-01 Operations Security Bramble Group Corp. has established mechanisms to implement operational security controls to identify and document Standardized Operating Procedures (SOP), or similar documentation, to enable the proper execution of day-to-day / assigned tasks. Does the organization facilitate the implementation of operational security controls? 1. Identify policies and procedures responsible for identification and implementation of Standard Operating Procedures (SOP) or similar, to enable the execution of assigned tasks.

2. Examine SOP’s (or similar) for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements.
1. Examine SOP’s against assigned or day to day tasks for evidence that SOP’s exist for each identified task.
OPS-02 Security Concept of Operations (CONOPS) Bramble Group Corp. has established mechanisms to develop a security Concept of Operations (CONOPS), or a similarly-defined plan for achieving cybersecurity objectives, that documents management, operational and technical measures implemented to apply defense-in-depth techniques that is communicated to all appropriate stakeholders. Does the organization develop a security Concept of Operations (CONOPS) that documents management, operational and technical measures implemented to apply defense-in-depth techniques? 1. Identify mechanisms used to support a Security Concept of Operations (CONOPS) plan used to define plan for achieving cybersecurity objectives.

2. Examine CONOPS (or similar) for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; Operational and technical implementation requirements; Defined defense-in-depth techniques; and Communication to appropriate stakeholders.
1. Examine CONOPS plan against cybersecurity control objectives.

2. Examine communication distribution during the examination period for evidence that communication to appropriate stakeholders was completed.
OPS-03 Service Delivery (Business Process Support) Bramble Group Corp. has established mechanisms to define supporting business processes and implement appropriate governance and service management to ensure appropriate planning, delivery and support of the organization’s technology capabilities supporting business functions, workforce, and/or customers based on industry-recognized standards to achieve the specific goals of the process area. Does the organization define supporting business processes and implement appropriate governance and service management to ensure appropriate planning, delivery and support of the organization’s technology capabilities supporting business functions, workforce, and/or customers based on industry-recognized standards? 1. Identify industry-recognized standards utilized to obtain, generate and use quality information to define and support business processes, governance and service management as they relate to Bramble’s technology capabilities.

2. Examine technology standards and capabilities as they relate to: Business process Governance Service management Delivery Planning Workforce customers.
1. Examine technology standards and capabilities for evidence that relevant, quality information was used to support the processes, governance and services outlined in the ToD.
  • Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
  • Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.

Policy Reference

  • Risk Management Program (WIP)