As any Information Security Professional will tell you, there are a multitude of regulation and security control frameworks out there to choose from. Very often, an individual organization is subject to multiple regulations and must show compliance with them regularly. This mandate sets up a situation where they have a choice between duplication of effort for compliance's sake, or to compare and contrast the multiple regulations and implement a single, unified solution. Given that duplication of effort is not cost efficient, and smart organizations always track the bottom line, then a security control map is absolutely necessary.
Mapping of security controls between differing standards is not a task to be taken lightly, nor is it the most speedy process. At best, an odd sized small team (5 or 7 individuals) takes months to come to an agreement between them. Teams smaller than this run into a problem of less objectivity faced with a herculean task. Larger teams run into the opposite problem of the more frequent disagreements in committee and too much input to be discussed in a timely fashion. In the end, the map itself is always subjective to the nuances of the group that created it.
This subjectivity is the result of two factors, the interpretation of the control measures combined with the methodology used to form the map. While the interpretation is subject to each individual making up the group along with their expertise, (which not only cannot be controlled, but is very often viewed with a contrasting opinion once the map is published) the methodology can at least be framed by a general consensus among the professional field. This is accomplished by taking each control measure into consideration and finding one or more suitable equivalent controls from the other control set.
It is widely accepted that there are not one, but two maps to look at when comparing two sets of control measures, that of each set in the context of the other. Adding more control sets makes the number of potential maps rise progressively using the formula <i>n * (n-1)</i> where <i>n</i> is equal to the number of control sets in play. Therefore, 3 sets would produce 6 maps, 4 produces 12, and 5 produces 20 maps.
While a thorough exploration can be thought of to be complete by finishing all the maps, a simpler method presents itself, reducing the number of maps to just the number of control sets in play. This methodology consists of choosing a primary control set among the multiples and only considering the maps to the other control sets in context of the prime. Logically, this makes sense, but there is still something missing from this methodology, that of the usefulness of the "reverse" map.
Because differing control sets often have no equal between them, and many are far too focused in scope and content to be of any use to the other, holes in the map abound. Compounding this is the fact that the regulations themselves are not enough for an effective security program, and an additional framework is necessary to achieve security effectiveness, increasing the number of maps by a proportional number. Fortunately, there are several frameworks in the wild that are written from a far more general nature than the specific regulations.
When employing a framework into the mix of regulations, caution must be observed in the choice of framework. Traditionally, individual regulations are married to particular frameworks (i.e. PCI-DSS to COBIT, SOX to COSO, HIPAA to ISO 27001, FISMA to NIST 800), but in reality, any framework could potentially contain any regulation depending on how flexible it's implementation is handled. It stands to reason that not every pairing is a harmonious match, thus the traditional pairings have the most chance for success. In the end, the framework dictates a common control set that will then have to be mapped to the applicable regulations.
This mapping, as discussed above <i>could</i> be achieved in the context of the framework, however, a more saturated method is to only consider the <i>reverse</i> maps instead of the "forward" maps. This method takes each control measure from the regulation and fits one or more controls from the framework to achieve compliance. This last method is by far the most beneficial from a compliance standpoint as every mandatory control measure is assured to be assessed and met as well as any holes from the framework control set will be identified and rectified. This last situation is actually very rare as the framework used (as long as a harmonious "marriage" is observed) is most likely to be a super-set that envelops the regulation set.
So what happens when an organization needs to be compliant with multiple regulations? Obviously the choice of framework becomes even more critical, requiring a much more general context to maximize the saturation and minimize the leftover controls from the individual regulations. For this effort, two frameworks stand out, the NIST 800 series and the similar ISO 27001. Both are formed by entities that produce common standards, one for the U.S. federal government and the other for an International community. Which to choose depends upon the nature of the organization contemplating the adoption of either from the aspects of HQ location and global presence.
No comments:
Post a Comment