What Are Papaya’s Top 25 Security Control
The Papaya framework represents a flexible and minimalist starting point applicable to nearly every type of organization regardless of its industry or size, offering just enough structure to help you get started on security practices without becoming overly burdensome.
In this article, we will provide an overview of the Papaya framework’s top 25 security controls, which are designed to help organizations manage their cyber security programs. The controls are divided into 15 topics which are outlined in bold. Each topic deals with a distinct but critical area of cyber security. The control offers guidance on what processes and tools need to be in place to manage that particular topic.
Papaya Top 25 Security Controls
- Asset Management – Ensure that the organization’s devices and data (this includes laptops, smartphones, and even paper media) are formally managed throughout removal, transfers, and disposal.
- Asset Management – Keep an accurate and up to date inventory of all your information assets. You need to know what you have in order to protect it!
- Information Security Protection and Governance – Ensure that formal cybersecurity roles have been created and assigned to individuals in your company. Remember these must be documented!
- Information Security Protection and Governance – A cybersecurity policy has been developed, approved, and published and is reviewed and updated annually.
- Personnel and Human Resource Security – Ensure that cybersecurity roles and responsibilities have been formally assigned to employees and are documented.
- Training and Awareness – Create a comprehensive training and awareness program and deliver security training to your staff on a regular basis. Remember that people are the weakest link and the main culprit behind IT security incidents. Knowledge is essential!
- System Lifecycle and Configuration Management – Create a formal system development life cycle plan that includes security at every stage of the process. If you develop software, security should be built into the process rather than an afterthought.
- System Lifecycle and Configuration Management – Ensures that all system configurations are managed in a controlled manner. This plan includes baseline configuration standards such as checklists as well as rollback plans so any changes are carried out smoothly with minimal disruption to your business.
- Network Security – Make sure that your network is designed and configured in a secure manner. This includes using segmentation to limit the spread of an attack, as well as tools like firewalls, intrusion detection/prevention systems, and other security measures to protect your network and keep the bad guys out.
- Anomalies, Events and Monitoring – Create a process to identify, track, and respond to anomalies and events that may indicate a security incident. This includes monitoring systems and networks for signs of intrusion or unusual activity, as well as logging all events that occur.
- Anomalies, Events and Monitoring – In addition to having technical measures to audit your tracks, make sure you have assigned individuals whose responsibility it is to regularly review your logs and ensure nothing is amiss.
- Vulnerability Management – Create a vulnerability assessment process to identify, prioritize, and remediate vulnerabilities in your systems and networks.
- Vulnerability Management – Establish a high-level vulnerability management plan for how your organization handles vulnerabilities.
- Data Security and Protection – Protect data-at-rest using encryption, access controls, and other security measures. This is data that has reached a destination and is being stored such as on harddrives or cloud storage.
- Data Security and Protection – Protect data-in-transit using encryption, access controls, and other security measures. This refers to data in motion from one location to another such as through the internet or a private network.
- Access and Credential Management – Control access to systems, networks, and data using least privilege principles. This includes managing user accounts, as well as granting and revoking access when necessary.
- Risk Management – Determine cybersecurity risk by identifying threats and vulnerabilities affecting your organization. Threats and vulnerabilities are continuously evolving.
- Risk Management – Implement and prioritize corrective action plans (CAPs) and responses to treat identified risks.
- Third-Party Management – Manage relationships with third-party vendors and service providers. This includes conducting due diligence on vendors, as well as having a contract in place that outlines security expectations and requirements.
- Incident Management – Ensure response plans are in place and effective for addressing security incidents.
- Incident Management – Ensure all relevant staff are trained on incident response procedures and are aware of their roles and responsibilities
- Business Continuity and Resiliency – Put plans in place to ensure critical business functions can continue in the event of an incident.
- Business Continuity and Resiliency – Have a process to securely backup systems and data in order to recover from an incident.
- Physical Security Management – Implement controls to protect physical data and ensure proper destruction. This applies to hard-drives, portable media, paper records, computers, network devices, and printers.
- Physical Security Management – Create and implement a policy governing the physical security environment and ensure all staff are trained on it.