The objective of this activity is to develop departmental security control profiles. Departments develop a
security control profile for each of its defined business domains. If a department defines several business
domains, then it can develop the profiles gradually, starting with one that is urgently needed, and then
developing the others over time.
Departmental security control profiles document the common security controls that are or will be
deployed as part of the departmental IT security function, as well as the mandated security controls to be
implemented in individual departmental information systems.
Departmental security control profiles are used by the IT security function to coordinate the deployment
of common security controls across their organization. They also inform IT projects of the security
controls that are or will be inherited by their information system, and those that they have to implement as
part of their project to protect the information system that they are developing or updating.
When developing departmental security control profiles, departments select security controls from the
catalogue in Annex 3 of ITSG-33 [Reference 5] and tailor them to satisfy departmental security needs
(Section 4.2.2) and objectives (Section 4.2.6). The selection and tailoring of security controls is guided by
the results of their departmental threat assessment (Section 4.2.5) and the defined IT security approaches
(Section 4.2.7.2). For departments that have an enterprise architecture function, security practitioners
should also consider IT security-related artefacts when selecting and tailoring information system-specific
security controls.
Departmental security control profiles should also document the business context and assumptions under
which they were developed by describing:
• In-scope business activities and related business needs for security;
• Security categories of in-scope business activities;
• Threat context;
• Defined IT security approaches; and
• Any other technical constraints or assumptions that might influence the selection of security
controls for information systems.
A key input to the security control profile development process is the departmental threat assessment
report (see Section 4.2.5). When developing domain security control profiles, departments may refine
departmental threat definitions based on additional threat information that is specific to each domain’s
business activities. When this occurs, departments may document these refined threat definitions in
domain-specific threat assessment reports.
Several of the security controls in the catalogue should be considered for deployment as common security
controls. A list of candidate common security controls is provided in Section 7. Candidate common
security controls are also highlighted in the security control profiles provided in Annex 4 of ITSG-33
[Reference 15]. Some common security controls may be implemented using technical solutions and
operated by IT operations groups. Other common security controls may be under the operational
responsibility of the departmental IT security function or other supporting functions.
Examples of common security controls are:
• The departmental personnel security screening program supporting the screening of IT personnel;
• Physical security program supporting the protection of IT facilities;
• Security incident management performed as part of the IT security function to provide a global
view of departmental security incidents;
• An information system operated by an IT operations group that provides a common end user
authentication solution;
• A department-wide electronic log monitoring system operated by a team of the IT security
function, which provides separation of duties between the IT operations and the IT security
function; and
• An IT security awareness and training program administered by the departmental learning center.
To develop their departmental security control profiles, departments may leverage applicable security
control profiles provided in Annex 4 of ITSG-33 [Reference 15], which are based on the ITSG-33
Security Control Catalogue [Reference 5].
The output of this activity is one organization-wide security control profile or a set of domain security
control profiles.