Approved controls comprise your compliance program and reflect the commitment of the organization to secure, properly store, and manage information assets per the organization’s policies. CyMetric enables users to review the approved controls and in so doing, better understand what the controls are and why they are being put in place. Additionally, controls can be customized to reflect the specific requirements of an information system. CyMetric enables the creation of multiple configurations for controls to reflect those needs.

CyMetric applies cybersecurity controls to each information system according to the compliance objectives and security risk assessment users set for that system. Each time a new system is added with a compliance obligation, a new set of controls is created. These are called Control Instances. Information systems can have common controls that cover the majority of the requirements of the organization. However, there may be instances where unique configurations for a control are required to support the level of protection desired for a specific information system. When a specific control has multiple configurations, users can see how many configurations each control has. This data point is listed as Control Configurations.
​

CyMetric has centralized the controls that need to be configured and has also predefined available options for many variables to make it easier to complete this process. The good news is you only need to do this once. UNTIL YOU CONFIGURE AND SAVE THE CONTROLS, THE PHRASE “VARIABLE NOT SET” WILL APPEAR IN YOUR CONTROLS THAT HAVE VARIABLES AND THIS WILL BE REFLECTED IN THE POLICY DOCUMENTS.

CONFIGURING CONTROLS FOR THE FIRST TIME: Controls that have been approved for the first time which require configuration will appear in Controls area under the module Configuration Required. Click the Configuration Required link.

The list of controls that require configuration appear in the grid.

Select the Control you would like to configure from the list by clicking on the chevron (>) that corresponds to the control on the right side of the screen. The Control will be displayed and the variables that need input identified.

Variables can be single-select, multi-select or radio buttons.

Drop Down: Use the drop down arrow to view the list of available options for the variable. Select the variable or variables that are appropriate for the control. Multiple selections are permitted.

Radio Buttons: Round option buttons for defining specific elements of a control. Typically, radio buttons utilized to pick from a set of related options regarding a specific function.

Select the proper option from the variables available. FOR MULTI-SELECT VARIABLES, if users want to include more than one of the available options, click the CTRL Button plus the variables desired. Each selected item will be highlighted and incorporated into the control.

When all of the variables are defined, click on the Save Edits button. The newly configured control is displayed from the Approved Controls module.

Click on the Configuration Required navigation link from the left side of the screen to return to that module.

Configured controls appear in your procedural documents assembled in the Policies module.

To change the configuration of a control, define the variables for a control or create a new configuration for a control, click on Approved Controls from the left navigation area. Use the filter to refine the display area and select a control name.

Click on the chevron ( >) that corresponds to the control that requires review or editing. The Control Details page displays presenting the detailed configuration for the control. If there are multiple configurations, an icon representing each configuration displays at the top of the screen. The information systems that are associated with each configuration are represented with the blue box icons at the bottom of the screen. Click on the Configuration buttons to toggle between the configurations.

Edit, Delete, Add a Configuration: To edit, delete or add a new configuration, click on the options ellipsis in the top right section of the screen.

Edit an Approved Control: Click on the Edit Config option from the drop down list. The existing configuration will appear on the screen. Make the appropriate changes to the configuration to reflect the desired settings. Save the changes.

If there is a need for multiple configurations for the same control, CyMetric allows users to create as many unique configurations or settings for a control to reflect the use case and requirements of the organization. These supplemental configurations can be applied to specific systems to reflect their security requirements and will be different than the DEFAULT configurations.

Create a NEW control configuration: To add a new configuration, click on the options ellipsis in the top right section of the screen. Click on the Add New Config option from the drop down list. Define a short name (10 characters) for your new control configuration and provide a description of the configuration. Controls with variables will have dropdown dialog boxes with list values present. Choose the appropriate value from the list to meet the desired specifications of the control. If multiple values are appropriate for the variable, click on the CTRL button and choose the appropriate values for that variable. Use the same process to create a New Configuration as well. There is no limit to the number of unique control configurations you can have for each control.

When you have finished adding a configuration, click on the Create Configuration/Save Edits button in the bottom right corner of the screen.

To learn how to apply a new or different control configuration to an information system, please see Assigning a New Control Configuration to an Information System.