There may be situations where the defined control sets provided by CyMetric need to be supplemented by additional controls to reflect organizational risk profiles or to simply enhance the strength of the program. CyMetric enables users to add controls to any regulatory requirement that will be applied to all systems that have the obligation or CyMetric can add controls to specific information systems or hardware platforms.

To add controls to a compliance obligation or system, start by clicking on the Custom link from the Controls section in the Navigation area. The complete list of available controls will be presented in the grid.

CyMetric assigns controls to regulatory obligations based upon the legal interpretation of the regulation by attorneys. If organizations want to complement the packaged set of regulatory controls defined by CyMetric with additional controls to meet their own internal requirements for a specific regulation, this can be accomplished by using a similar process as defined above. In this case however, the custom control(s) that get added will be applied to ALL SYSTEMS that have the specific obligation the new, custom control has been added to.

Search for the desired control by using the search/filter function or scroll to the control you would like to add to your program. When the appropriate control is identified, click on the Implement link on the right side of the line of the appropriate control. After clicking on the Implement button defined above, click on the Map to Compliance Objective button.

CyMetric walks users through a four-step process to add or map the new control to the desired regulatory obligation. By adding the custom control to an obligation, ALL EXISTING AND FUTURE INFORMATION SYSTEMS THAT HAVE THIS OBLIGATION WILL INCLUDE THE NEW CONTROL. If this is acceptable, click on the Confirm and Next button to continue.

CyMetric then asks if users want to apply the custom control to a Compliance Objective of Security Framework Categorization. By definition, a compliance objective is a regulation or mandate that has been mapped within CyMetric (e.g. HIPAA, GDPR, NIST CSF, etc.) whereas a Security Framework Categorization is a NIST defined allocation of a control to HIGH, MODERATE or LOW security category that applies to systems that require 800-53 compliance. The new custom control would be included in the appropriate category for the systems that require 800-53 compliance. Click on the appropriate allocation to continue.

If Compliance Objective is selected, a list of customer licensed compliance obligations will be presented to the user. If Security Framework Categorization is selected, the three levels of the NIST Categorization will be presented. Click on the appropriate radio button next to the element you would like the new control to be added. Once selected, click in the Next button.

CyMetric prompts users to input a reason or rationale for including the custom control in the compliance objective. This is a required field and provides organizational insight as to the goal of the new control. When you have populated the Reason for Implementation field with content, click on the Next button.

CyMetric presents one last opportunity to review the change you are looking to make to the compliance objective. If the modification and documentation look appropriate, click on the Map & Implement button.

The new control is added to the compliance objective but still requires formal approval. The new control addition appears in the Pending Control approval area. Similar to approving controls that are being applied to new systems, this new control needs to be approved and formally put into the respective compliance program. Navigate to the Pending Controls area and identify the pending control group that reflects the new addition. If you need guidance on approving the control, follow the steps defined in the article Reviewing and Approving Pending Controls to complete the process. CyMetric will indicate how many instances (Systems) the control will be added to.

CyMetric automatically adds the control to any system that has the obligation the new control was added to. It will appear on any NEW assessments that are conducted for the compliance objective. It WILL NOT be applied retroactively to assessments already completed or started.

If the control you would like to add is unique to a system, CyMetric enables you to add the control granularly to a specific information system or hardware system in your environment. Search for the desired control by using the search/filter function or scroll to the control you would like to add to your program. When the appropriate control is identified, click on the Implement link on the right side of the line of the appropriate control.

After clicking on the Implement button defined above, click on the Add to Information System button.

CyMetric will prompt you to select the appropriate information system from the pull down menu. The list of inputted Information Systems and Hardware Systems will be available for you to add the control to. CyMetric also requires users to document why they are implementing this control for this system. When these data points are added, click on the Implement button to apply the change.

NOTE: If you need to add this control to multiple systems, you will need to repeat this process for all the appropriate systems.

The control is added but needs approval in the Pending Control area. To complete the adding of the custom control, navigate to the Pending Controls area and approve the new control. The control will then be added to the designated system as a required control.