C-XXX - Control Name
Objective
Describe what the control is intended to achieve, in direct relation to a risk.
Type
Preventive / Detective / Corrective
Scope
Define where the control applies:
- Assets (e.g. VPS, Proxmox, applications)
- Zones (Heaven, Hell, Admin)
- Flows (Admin → Infra, Internet → Reverse Proxy)
Implementation
High-level description of how the control is implemented.
Avoid:
- low-level config
- commands
Focus on:
- mechanisms
- architecture choices
Related Risks
- R-XXX - Risk name
Validation
How you verify the control is working:
- technical testing
- manual review
- monitoring signal
Limitations
(Optional but highly recommended)
- known weaknesses
- partial coverage
- dependencies
Status
Active / In Progress / Planned
Owner
Sec / Ops / Dev