Control Families Explained
As stated earlier, a Cyber Compliance Framework is structured set of guidelines, standards, and best practices that organizations use to manage cyber risks, protect sensitive data, and meet regulatory obligations. Within a given framework, you have a list of controls. And these controls fall into a control family. They may possibly fall into a control family section as well (if used).
The controls are used to specify required processes, procedures, and checks to ensure a cyber compliance framework is met. A lot of the compliance shown in OpenRMF® Professional is rolled up to the control level. And tailoring (adding in / removing individual controls) as well as overlays (adding groups of controls to use) depend on these as well.
Default Control Families
There are a lot of the control families included by default from the NIST 800-53 list of controls and groupings. They include several of the mainstream families such as Access Control, Audit and Accountability, Program Management, Supply Chain Management, and Incident Response.
Default control families within OpenRMF® Professional cannot be edited or deleted.
However, they can be used in the default frameworks with default controls as well as within frameworks you added for those controls (default controls or ones you add).
Adding a Control Family
To add a control Family, click the Create Control Family button on the Control Families listing page. Enter the control family and acronym, which are required. Be sure the family name and acronym are unique to your installation. You can also add 1 or more tags and a description to ensure people understand the control family use. Then click the Save button.
Once added that family can be used when adding, editing, or uploading controls for grouping and classification for any framework you can add or edit.
You also can add control families by uploading an XLSX file in the proper format. You can do this via the Upload menu in the Frameworks area. Make sure you choose the proper file to upload. You can download a Sample Control Family XLSX as a starting point for uploading a spreadsheet or CSV file. You also can use data for this shown in our public GitHub repo linked off our Soteria Software website as well.
The JSON structure for the control family is listed below:
[
{
"controlFamily": "Access Control",
"controlFamilyAcronym": "AC",
"controlFamilyDescription": "Focus is on who can access what assets and ensures proper account management, system privileges, and remote access logging."
},
{
"controlFamily": "Audit and Accountability",
"controlFamilyAcronym": "AU",
"controlFamilyDescription": "Focus is on establishing audit policies and procedures, keeping track of audit logs, generating reports, and safeguarding valuable audit information."
},
{
"controlFamily": "Planning",
"controlFamilyAcronym": "PL",
"controlFamilyDescription": "Focus is on covering the purpose, scope, roles, responsibilities, management commitment, coordination, industry standards, and organizational compliance necessary for effective security planning."
},
{
"controlFamily": "Program Management",
"controlFamilyAcronym": "PM",
"controlFamilyDescription": "Focus is on establishing critical infrastructure plans, information security program plans, and risk management frameworks which aligns your enterprise architecture with your security objectives."
},
{
"controlFamily": "Detect",
"controlFamilyAcronym": "DE",
"controlFamilyDescription": "Possible cybersecurity attacks and compromises are found and analyzed.",
"cciTags": [
"CSF"
]
},
{
"controlFamily": "Respond",
"controlFamilyAcronym": "RS",
"controlFamilyDescription": "Actions regarding a detected cybersecurity incident are taken.",
"cciTags": [
"CSF"
]
},
{
"controlFamily": "Recover",
"controlFamilyAcronym": "RC",
"controlFamilyDescription": "Assets and operations affected by a cybersecurity incident are restored.",
"cciTags": [
"CSF"
]
}
]
Editing a Control Family
To edit a control family, click the ... menu in the listing of non-default control families and select Edit from the menu. Or click Edit from the control family page. Enter your updates on the control family, acronym, tags and description. Then click the Save button. When you save the data, all corresponding information such as the title, acronym, version, etc. is updated throughout the solution wherever it is currently being used.
Deleting a Control Family
To delete a control family, click the ... menu in the listing of non-default control families and select Delete from the menu. A warning page shows that when the control family is deleted any control family section, control within that family, and those control/CCI combination within the application on any framework and/or framework level is also removed.
This is a very big cascading delete so please be careful when using it to know what it will affect.
You must click the Delete Control Family button to actual delete the data. All other control families, controls and CCIs as well as the referenced CCIs with this control stay in tact.
This is a hard delete and cannot be undone. You can always re-create or reupload the files that generated the non-default control family though.
Adding a Control Family Section
To add a control family section, you must click on a control family in the main listing. Then click the Create Control Family Section button. Add your control family section, corresponding acronym, and description. This family section can be used when adding, editing, or uploading a control for any framework you can add or edit.
You also can add control family sections by uploading an XLSX file in the proper format. You can do this via the Upload menu in the Frameworks area. Make sure you choose the proper file to upload. You can download a Sample Control Family Section XLSX as a starting point for uploading a spreadsheet or CSV file. You also can use data for this shown in our public GitHub repo linked off our Soteria Software website as well.
The JSON structure for the control family section is listed below:
[
{
"controlFamily": "Govern",
"controlFamilyAcronym": "GV",
"controlFamilySection": "Organizational Context",
"controlFamilySectionAcronym": "GV.OC",
"controlFamilySectionDescription": "The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understood."
},
{
"controlFamily": "Govern",
"controlFamilyAcronym": "GV",
"controlFamilySection": "Risk Management Strategy",
"controlFamilySectionAcronym": "GV.RM",
"controlFamilySectionDescription": "The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions."
},
{
"controlFamily": "Govern",
"controlFamilyAcronym": "GV",
"controlFamilySection": "Roles, Responsibilities, and Authorities",
"controlFamilySectionAcronym": "GV.RR",
"controlFamilySectionDescription": "Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated."
},
{
"controlFamily": "Govern",
"controlFamilyAcronym": "GV",
"controlFamilySection": "Policy",
"controlFamilySectionAcronym": "GV.PO",
"controlFamilySectionDescription": "Organizational cybersecurity policy is established, communicated, and enforced."
},
{
"controlFamily": "Govern",
"controlFamilyAcronym": "GV",
"controlFamilySection": "Oversight",
"controlFamilySectionAcronym": "GV.OV",
"controlFamilySectionDescription": "Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy."
},
{
"controlFamily": "Govern",
"controlFamilyAcronym": "GV",
"controlFamilySection": "Cybersecurity Supply Chain Risk Management",
"controlFamilySectionAcronym": "GV.SC",
"controlFamilySectionDescription": "Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders."
},
{
"controlFamily": "Identify",
"controlFamilyAcronym": "ID",
"controlFamilySection": "Asset Management",
"controlFamilySectionAcronym": "ID.AM",
"controlFamilySectionDescription": "Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy."
},
{
"controlFamily": "Recover",
"controlFamilyAcronym": "RC",
"controlFamilySection": "Incident Recovery Communication",
"controlFamilySectionAcronym": "RC.CO",
"controlFamilySectionDescription": "Restoration activities are coordinated with internal and external parties."
}
]
Editing a Control Family Section
To edit a control family section, click the ... menu in the listing of non-default control family sections and select Edit from the menu. Enter your updates on the control family section, corresponding acronym, and description. Then click the Save button. When you save the data, all corresponding information such as the title, acronym, version, etc. is updated throughout the solution wherever it is currently being used.
Deleting a Control Family Section
To delete a control family section, click the ... menu in the listing of non-default control family sections of a control family and select Delete from the menu. A warning page shows that when the control family section is deleted any control within that family section, and those control/CCI combination within the application on any framework and/or framework level is also removed.
This is a cascading delete so please be careful when using it to know what it will affect.
You must click the Delete Control Family Section button to actual delete the data. All other control families and sections, controls and CCIs as well as the referenced CCIs with this control stay in tact.
This is a hard delete and cannot be undone. You can always re-create or reupload the files that generated the non-default control family section though.
