# Control Development [[Control Development]] is a top-level [[Cybersecurity]] capability, taking in information from Adversary Research and Compliance to develop appropriate defenses and strategies that keep business assets safe and resilient. Control Development is the process of creating, implementing, and maintaining security measures and policies to protect an organization's digital assets, data, and systems from potential threats and vulnerabilities. In summary, this capability provides the plans that outline adversary defenses and an acceptable level of control. ## Map ``` mermaid <!-- element style="width:90%; height:auto" --> graph TD Top[[Cybersecurity]] --- B[[Control Development]] B --- B.1[[Defense Modeling]] B --- B.2[[Standards Management]] B --- B.3[[Policy Management]] B --- B.4[[Test Plan Management]] B --- B.5[[Threshold Management]] %% Class Definitions %% ===================== class Top,A,A.1,A.2,A.3,A.4,A.5,A.6,B,B.1,B.2,B.3,B.4,B.5,C,C.1,C.2,C.3,C.4,D,D.1,D.2,D.3,D.4,D.5,E,E.1,E.2,E.3,E.4,E.5,E.6 internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:black,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E cssClassL1; classDef cssClassL1 fill:darkblue,stroke:darkblue,stroke-width:4px,font-size:15px,font-color:white; class A.1,A.2,A.3,A.4,A.5,A.6,B.1,B.2,B.3,B.4,B.5,C.1,C.2,C.3,C.4,D.1,D.2,D.3,D.4,D.5,E.1,E.2,E.3,E.4,E.5,E.6 cssClassL2; classDef cssClassL2 fill:blue,stroke:blue,stroke-width:4px,font-size:15px,font-color:white; class B cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ## Definition > [!cm-definition] Definition > Control development maps defenses to assets targeted by adversaries and provides critical information to asset owners to ensure that defenses operate as designed. ## Goals >[!cm-goal] Goal 1 >**Resilient by Design** - Choose defenses that create adversary resilience by design for specific targeted assets. >[!cm-goal] Goal 2 >**Organization-wide Defensive Model** - Defenses are developed to support a single organization-wide defensive model for all targeted assets. >[!cm-goal] Goal 3 >**Lower Mean Times** - Risk places a significant burden on the system and reduces resources for achieving the core mission of the organization. By focusing on reducing mean times within each process, the organization achieves cybersecurity efficiencies that balance cybersecurity with the business. ## Scope The scope of Control Development covers all adversary targeted assets and supporting assets that require adversary defenses to operate within tolerance. ## Process Control Development is dependent upon compliance requirements and adversary intelligence for its inputs and commonly better accomplished by partnering with other business capabilities to determine defensive thresholds. ```mermaid flowchart LR A1[Compliance <br /> Requirements as Input] --> B[1. Build <br /> Defensive Model] A2[Adversary <br /> Intelligence as Input] --> B A1 ~~~ A2 B --> C[2. Develop <br /> Standards] C --> D[3. Publish <br /> Policies] D --> E[4. Document <br /> Test Plan] E --> F[5. Establish <br /> Thresholds] F -.->|Informs| A1 F --> Stakeholders ``` ## Metrics >[!cm-metric] Metric: [[% of Predictable Incidents]] >[!cm-metric] Metric: [[% of Exploitable Assets with a Defensive Model]] >[!cm-metric] Metric: [[% of Controls mapped to a Metric]] >[!cm-metric] Metric: [[% of Defensive Models with Incidents]] ## Inspiration & Resources + https://en.wikipedia.org/wiki/STRIDE_(security) + https://en.wikipedia.org/wiki/Attack_tree + https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/ + https://hockeyinjune.medium.com/adversary-based-threat-modeling-6dfd88a684d ## Release Notes + [[Q4 2023 Release#Document L1 for Control Development]] ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.