Controls Management

Updated Jan 30, 2024 ·

Routine Management of Security Controls

In addition to regular security audits, organizations should consistently manage their security controls to ensure ongoing effectiveness.

Perform regular control testing and monitoring.
Manage exceptions, create remediation plans, and use compensating controls when necessary.

Control Testing Procedures

Control testing is crucial for maintaining security but should not rely solely on periodic audits. Regular monitoring ensures any issues are caught promptly.

Implement routine automated monitoring, such as firewall checks.
Supplement audits with frequent checks.

Handling Exceptions to Controls

Security rules often have exceptions, and organizations need a clear process for handling them, ensuring proper documentation and authorization.

Define a formal process for requesting and approving exceptions.
Document exceptions with reasons and risk justifications.

Compensating Controls

Compensating controls are alternative security measures that mitigate risks when exceptions are made to standard controls.

Ensure compensating controls meet the intent of the original control.
The compensating control must provide a similar level of protection.

For more information, please see Security Controls

Routine Management of Security Controls​

Control Testing Procedures​

Handling Exceptions to Controls​

Compensating Controls​

Routine Management of Security Controls

Control Testing Procedures

Handling Exceptions to Controls

Compensating Controls