So I have a new project underway in my spare time. My wife and I are going into business and, as it happens, must comply with not just one, but two sets of information system security control regulations, one industry, and one federal. Being intimately familiar with DoD 8500 and NIST, I welcomed the challenge that came with this in attempting to translate the other two into a framework that I understood better and immediately ran into an issue. The two regulations are PCI-DSS and HIPAA, which are not fully developed information system security programs, therefore, it doesn't make sense to show compliance just for compliances sake. I wanted to do this the right way and adopt a full program and then map the other two standards to it, so chose NIST as I have been impressed with it's flexibility in the control set. I am not happy with it's security categorization, so instead, chose the CNSSI-1253 to perform this function for my program.
So far, so good.
NIST has publised SP 800-66 that maps HIPAA to SP 800-53 Rev 2, but I'm wanting to be on the cutting edge, which meant that I had some updating to do with that map in order to get it into SP 800-53 Rev 3 (and soon Rev 4). Ok, not too bad, NIST markups and discrepancies aren't too bad to work with and I don't see a big problem with not being specific in the control enhancement area as HIPAA is rather vauge when it comes to stipulating requirements, so the base controls should do fine. So far, it's a little work to get the HIPAA map updated, but looks fairly easy.
Then I turned to PCI-DSS to look at that.
Drastic difference here, as this control set is more specific than the NIST control set in certain areas, and darn it all, no-one seems to have mapped this to NIST. I did find a few maps that I could reference, but not use or change directly, mainly using yet a third control set that I wasn't interested in at all (ISO 27000, COBIT, and CSA). In develing deeper into these maps, it seemed that the ISO and COBIT maps weren't all that useful to me, but the CSA seemed to do a wonderful job as it published a map between all the control sets mentioned in this post as well as a few more. So I grabbed that and really took a good look at it. Bottom line, it's a good effort on their part, but for my purposes, I can't use it.
The basic reason is that in order to map control sets, you have to start with a base set, then perform the map to the set you want to use. In my case, I have to do that twice, once with PCI-DSS, and once with HIPAA. Once you have it done that direction, you can reference the other two sets from the set you use to show compliance. Since the maps I had tried before had essentially done this against a set that I wasn't interested in, I was attempting to compare apples to oranges to get it back into the right framework. Sure, the maps are somewhat useful to narrow down the field, but only when the control set they use is nearly identical to the one you want to use.
Crap, I'm going to have to do this the hard way: map the sets manually.
Doing it this way has a huge drawback, in that you are entirely dependant upon your own subjectivity, which the entity that you are trying to show compliance with may not agree with. I didn't want to do this, but in the absence of publically avaliable or official maps, I really have no choice. Fortunately, I do carry the credentials to make my map more credible to anyone looking at it.
So, I'm just getting started, but already I see a pattern starting to form in that my subjective view is very granular and differs from the maps I've been able to find.
No comments:
Post a Comment