Controls are risk reduction measures. They may be manual, automated, or both. Controls may be directly enumerated, but are often documented as an interrelated set of risk management instructions that include strategic assertions, delegation of security roles and responsibilities, workflow, automation configurations, step‐by‐step procedures, and general advice. These documents are classified into risk appetite, policies, processes, standards, procedures, or guidelines, respectively.

Controls are not effective in isolation. Figure 4.1 depicts controls as a hierarchy composed of multiple control methods that comprise enterprise cybersecurity risk reduction measures. Specifically for cybersecurity, management controls are established with cybersecurity risk appetite, and extend into cybersecurity policy, cybersecurity processes, internally developed cybersecurity standards, cybersecurity procedures, and cybersecurity guidelines. For the remainder of this chapter, we will forgo the adjective cybersecurity from these control methods on the assumption that all the controls to which they refer are directed at minimizing cybersecurity risk.

Controls are interactive by design. They are composed at different levels of enterprise organizational structure and addressed to different organizational constituents whose interactions render the controls effective. The risk appetite comes from the top and is colloquially referred to as “tone at the top.” It is the executive management ...