Page1of3
SampleSecurityControlsMatrixTacticsforNegotiatingSecurityProvisions
DisclaimerThisdocumentisacasestudyofahypotheticalcompany.Thematrixbelowrepresentsahypotheticalcompany’spostureas
itrelatestoaparticularstandard—inthiscase,CIS20.Thistypeofmatrixcanbepreparedforotherstandards,suchasISO
27002,NIST800-53,etc.Bearinmind,however,thatthematrixisspecifictoaparticularcompanyand,insomecases,toa
particularventure.Thisdocumentisnotintendedtobeusedasagenericreference,butrather,itisanexampledocumentof
thetypeofdeliverablethatcanassisttransactionalattorneysinnegotiatingsecurityprovisions.
OverviewTheintentofthisdocumentistopresentacasestudybaseduponafictitiousorganization—inthisscenarioasoftwareasa
service(SaaS)provider(“SaaSCorp”)—targetingmid-sizetolargecompanies.Asitisawardedcontracts,SaaSCorp’s
customersimposecertainsecurityprovisionsbywayofaMasterSaaSAgreement.Oneoftheprovisionsstipulatesthat
SaaSCorprepresentandwarrantthatadministrative,physical,andtechnicalsafeguardsareinplacethatarenolessrigorous
thanthosesetoutintheCIS20standard.
1
SaaSCorp’sattorneyisconcernedaboutwhetherSaaSCorpcanmakethoserepresentations,asshedoesnotwishforher
organizationtobeinbreachimmediatelyuponexecutionofthecontract.Forthisreason,sheengagesacybersecurity
companytoassessSaaSCorp’scyberprogramagainsttheCIS20standard(andothersecurityprovisionrequirements)for
thistypeofindustry/ventureforthepurposeofbuildingamatrixshecanuseinthisandsubsequentcontractnegotiations.
NegotiationTacticsOftentimessecuritystandardsarenegotiatedinanallornothingfashion,butSaaSCorp’sattorneyrecognizesthatshemay
beabletobreakupastandardcontrolbycontrol,forgranularnegotiations.Hernegotiationtacticsincludethefollowing
strategies
1. Determinewhichcontrols/itemshavealreadybeencompletedsothatshecanacceptthemoutright
2. Identifythosecontrols/itemsthatcouldbecompletedwithlowtomoderatedifficultyandatreasonablecost
3. Negotiateoutcontrols/itemsthatarenotapplicabletoSaaSCorp’ssecurityprogramrequirementsforthis
engagement
4. Defer,foraperiodoftime,certaincontrols/itemsthatareconsidereddifficulttoimplementorarecostly
5. Offer,asanalternative,aliabilitysupercapinlieuofcompletingacontrol/item
6. Putinplace,asanalternative,additionalinsurancecoverageinlieuofcompletingacontrol/item
7. Shiftbacktothecustomer,forapricediscount,responsibilityforacontrol/item
1 CIS20wasselectedinthisexerciseinpartbecauseofitsdivisionofsecuritycontrolsinto20definedcategories.
SecurityControlsMatrix- CaseStudy&SampleControlsMatrix
Page2of3
Requirement/Control
Description StatusDifficulty CapEx OpEx
NotesEasy Medium Hard $ $$ $$$ $ $$ $$$
SANSCIS20SecurityControls
1.InventoryofAuthorizedandUnauthorizedDevices Complete X X SaaSCorphasprocessesinplacetoperform&maintaincurrenthardware
inventories,andcandemonstratehavingmetthisrequirement.
2.InventoryofAuthorizedandUnauthorizedSoftware Complete X X SaaSCorphasprocessesinplacetoperform&maintaincurrentsoftware
inventories,andcandemonstratehavingmetthisrequirement.
3.SecureConfigurationsforHardwareandSoftware Tactic2:Cancomplete X X X ThemajorityoftheexpenditurewouldbeinOpXbecausesecuringsystems
canbecompletedwithSaaSCorp’sexistinginformationsecurityteam.
4.ContinuousVulnerabilityAssessmentandRemediation Tactic2:Cancomplete X X X
SaaSCorphasalreadycompletedavulnerabilityassessment.Uponexecutionofthisagreement,SaaSCorpwillcontractwithathirdpartytosatisfythiscontrol.
5.ControlledUseofAdministrativePrivileges Complete X X SaaSCorphasprocessesandtechnologyinplacetoprovidethiscapability,
andcandemonstratehavingmetthisrequirement.
6.Maintenance,Monitoring,andAnalysisofAuditLogs Tactic2:Cancomplete X X X
SaaSCorpwillneedtoimplementtechnologysolutionstosupportthisrequirement,andwillcontractwitha3rdpartyforsupportandmonitoringservicestominimizeoperationalcosts.
7.EmailandWebBrowserProtections Tactic2:Cancomplete X X X
SaaSCorphasbasicemailsecuritytechnologiesinplace;however,theexistingprogramdoesnotaddresswebbrowsingdefenses.
Addressingthisissuewillberelativelyeasy,butwillrequirethepurchaseanddeploymentofadditionaltechnologysolutions.
8.MalwareDefenses Complete X X SaaSCorphaspurchased&implementedcurrentanti-malwaretechnology,andcandemonstratehavingmetthisrequirement
9.LimitationandControlofNetworkPorts Complete X X SaaSCorphasnetworkconfigurationstandards&processesinplaceto
addressthis,andcandemonstratehavingmetthisrequirement
10.DataRecoveryCapability Tactic7:Shifttocustomer NotApplicable Customerisacloudserviceprovider,sothiscontrolcanbepushedtothecustomerinnegotiation,perhapswithapriceshift.
11.SecureConfigurationsforNetworkDevices Complete X X X SaaSCorphasdevelopedabasicdevicesecuritymanagementprocess,,and
candemonstratehavingmetthisrequirement
SecurityControlsMatrix- CaseStudy&SampleControlMatrix
Disclaimer: This document represents a hypothetical case study involving a fictitious organization, for educational purposes, and does not refer to any specific or actual organization
Requirement/ControlDescription Status
Difficulty CapEx OpExNotes
Easy Medium Hard $ $$ $$$ $ $$ $$$
12.BoundaryDefense Complete X X SaaSCorphasboundarycontrolssuchasfirewallsandintrusiondetectionsystemsinplace,andcandemonstratehavingmetthisrequirement.
13.DataProtection Tactic5:Supercap X X X
SaaSCorpdoesnotcurrentlyhavetheabilitytoencryptdata,butreliesonothercontrolsandaspectsofitscybersecurityprogramtoprotectcustomerdata.Untilsuchencryptioncanberolledout,SaaSCorpmayofferasupercapinthelimitationofliabilityforthiscontrol.Asanalternative,SaaSCorpcanoffertoattainadditionalcybersecurityinsurance.
14.ControlledAccessBasedontheNeedtoKnow Complete X X SaaSCorphasdefinedpolicyrequirements&processestolimitaccessbased
onrole,andcandemonstratehavingmetthisrequirement.
15.WirelessAccessControl Tactic3:N/A NotApplicable SaaSCorppreventswirelessnetworkingbypolicyanddoesnotemploywirelessnetworks.
16.AccountMonitoringandControl Tactic6:Insurance X X
SaaSCorpcanmonitorwhenusersareloggingin,buthaslimitedinsightintoaccountusagedetails.Untiltechnologysolutionsareputinplace,SaaSCorpcanoffertoattainadditionalcybersecurityinsuranceandnameCustomerasabeneficiary.
17.SecuritySkillsAssessment&AppropriateTrainingtoFillGaps Tactic2:QuickWin X X SaaSCorpcanmeetthisrequirementwithrelativeeasebyleveraging3rd
partysolutionstoassessexistingsecurityskillsandprovidetrainingcourses.18.ApplicationSoftwareSecurity Complete X X SaaSCorphasadocumentedsecuresoftwaredevelopmentprocessinplace,
andcandemonstratehavingmetthisrequirement.
19.IncidentResponseandManagement Tactic4:Deferforoneyear X X
WhileSaaSCorphasagenericincidentresponseplan,theattorneyisconcernedthatitisnotactionableandmaynotwithstandscrutiny.SaaSCorpwillconveyitsplanstoemployarecognizedincidentresponseprogramandwillnegotiateoneyeartocomply.
20.PenetrationTestsandRedTeamExercises Complete X X SaaSCorphasperformedapenetrationtestwithintheprior12months,and
candemonstratehavingmetthisrequirement.