ECC-1: 2018 Cybersecurity Framework: Achieving Compliance with Complyan

Cybersecurity Governance

The governance domain of the ECC focuses on establishing control over an organization’s cybersecurity operations. It provides best practices, and putting policies and procedures in place to safeguard the organization’s computer systems from cyber-attacks and recommendations for implementing a structured planning method, defining processes, and managing cybersecurity risks.

The 9 subdomains under governance include roles and responsibilities, risk management, information technology and project management, compliance with cybersecurity standards, laws, and regulations, periodical cybersecurity review and audit, and human resources. Each subdomain is designed with controls that address specific cybersecurity risks and compliance areas within an organization.

Cybersecurity Defense

The defense domain of ECC is concerned with planning, identifying, assessing, defending against, recovering from, and generally managing security risks before a disaster can occur or when a disaster occurs. It provides a range of security measures to help organizations be aware of security threats and have personnel and strategies in place to defend their systems.

• Asset management, the first subdomain of cybersecurity defense, entails making sure that the organization keeps an accurate and thorough inventory of its information and technology resources to support its cybersecurity program.
• Identity and Access Management (IAM) is another subdomain that involves setting up measures to ensure that only authorized users have secure, restricted access to the organization’s system while preventing unauthorized access.
• Other subdomains include but not limited to protection of information systems and information processing facilities, cryptography, email protection, network security management, and protection of mobile devices.

Cybersecurity Resilience

The resilience domain of ECC is focused on helping organizations build an overall resilient system in the face of cyberattacks. It provides guidelines on preparing for and mitigating cyber incidents to minimize their impact on systems and critical e-services.

This domain has only one subdomain: the Cybersecurity Resilience Aspects of Business Continuity Management. This subdomain provides controls to integrate resilience requirements into the organization’s business continuity management. By doing so, the organization can ensure that its critical business operations can continue even in the face of cyber incidents. The controls in this subdomain include strategies to mitigate the impact of cyber incidents on information processing facilities and systems and to enable quick recovery of e-services in case of disruption. By incorporating these controls into their business continuity management, organizations can improve their resilience and better protect themselves against cyber threats.

Third-Party and Cloud Computing Cybersecurity

The Third-Party and cloud computing cybersecurity domain guides the protection of an organization’s systems and data from cyber threats related to third-party integration and cloud computing resources.

The domain includes two subdomains: Third-party cybersecurity and cloud computing and hosting cybersecurity.

• Third-Party Cybersecurity, which provides controls to manage risks associated with third parties. These include software packages, contracts, outsourcing, and managed services. The controls aim to ensure that third-party integration complies with organizational policies, procedures, and relevant regulations and that all assets are protected from cybersecurity risks.
• The cloud computing and hosting cybersecurity subdomain provides controls to manage risks associated with cloud computing and hosting services. The controls ensure that information and technological resources hosted in the cloud or managed by third parties are protected from cyber threats. They also help ensure that efficient cyber risk remediation measures are in place.

Industrial Control Systems (ICS) Cybersecurity

Industrial Control Systems (ICS) is a computer-based system used in industries to monitor and control physical processes. The ICS Cybersecurity domain of ECC provides controls to ensure these systems’ proper and efficient cybersecurity management to protect them from cyber threats. The lone subdomain under this domain focuses on safeguarding the organization’s assets’ confidentiality, integrity, and availability against cyberattacks.

The controls provided in this subdomain are designed to protect ICS/OT systems against unauthorized access, destruction, spying, and fraud. These controls are developed per the organization’s cybersecurity strategy and applicable local and international laws and regulations. The subdomain covers risk assessment, access control, incident response, and personnel training. Additionally, it offers guidelines for mitigating potential threats and vulnerabilities as well as for ensuring the secure handling of information and technology resources in ICS/OT systems.