<p>CISOs and their teams are expected to demonstrate compliance with a range of regulations, frameworks and standards. With an alphabet soup of frameworks — NIST, ISO, PCI DSS, HIPAA, GDPR and many other country- or sector-specific mandates — there is a growing risk of duplicating effort, control gaps and audit fatigue.</p>
<p>CISOs can simplify governance by mapping security controls to the various domestic and international <a href=”https://www.techtarget.com/searchsecurity/tip/IT-security-frameworks-and-standards-Choosing-the-right-one”>standards and regulations addressing cybersecurity</a> through a unified control architecture.</p>
<section class=”section main-article-chapter” data-menu-title=”Why control mapping matters”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Why control mapping matters</h2>
<p>Enterprises that are required to demonstrate regulatory compliance must prove how they comply. In addition to a variety of audit tests, a map of the controls being used and the corresponding standards is an important piece of audit evidence.</p>
<p>Without a control map, CISOs and their teams can face redundant efforts when connecting controls to specific requirements, a lack of consistent application of controls within the enterprise and additional work gathering evidence for an audit.</p>
<p>Security teams can save time and effort by building a structured map of controls and requirements, consolidating all mapping into a single assessment. This helps <a href=”https://www.techtarget.com/searchsecurity/tip/Build-a-strong-cyber-resilience-strategy-with-existing-tools”>strengthen cyber resilience</a> by establishing a holistic baseline.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”How to build a control-mapping strategy”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>How to build a control-mapping strategy</h2>
<p>Prior to preparing a control/standard map, define the overall strategy. This helps CISOs, auditors and regulators assess and verify compliance, minimizes duplication and enhances governance. The key is to define scope, establish a baseline control language and create a flexible and reusable mapping model. Adding AI to the process helps accelerate map preparation and assists with ongoing maintenance.</p>
<p>Obtain the most relevant and authoritative sources. Among the most important are:</p>
<ul class=”default-list”>
<li><b>NIST CSF (Cyber Security Framework)</b>. This framework provides guidance across a broad range of cybersecurity issues; implementation is voluntary.</li>
<li><b>NIST SP 800-53</b>. Designed for government use, these cybersecurity controls can be used by the private sector. Implementation is voluntary but considered essential for demonstrating compliance.</li>
</ul>
<ul class=”default-list”>
<li><b>ISO/IEC 27001</b>. <a href=”https://www.techtarget.com/whatis/definition/ISO-27001″>This is the global cybersecurity standard</a>; compliance must be officially demonstrated.</li>
<li><b>CIS Controls</b>. Developed by the U.S. Center for Internet Security, there are 18 specific controls to address; implementation is voluntary.</li>
<li><b>SOC 2 Security Controls</b>. Developed to comply with the AICPA’s Trust Services Criteria, these are auditable controls.</li>
<li><b>HIPAA</b>. The <a href=”https://www.techtarget.com/searchhealthit/definition/HIPAA”>HIPAA</a> security controls, which are mandatory in healthcare, can be applied in many industries; compliance must be officially demonstrated.</li>
<li><b>PCI DSS</b>. The <a href=”https://www.techtarget.com/searchsecurity/definition/PCI-DSS-Payment-Card-Industry-Data-Security-Standard”>Payment Card Industry Data Security Standard</a> is a mandatory requirement for organizations in the payment industry; it has six control objectives that delineate 12 specific requirements.</li>
<li><b>FedRAMP</b>. Based on NIST SP 800-53, these mandatory controls were designed for cloud service providers that handle federal data.</li>
<li><b>CMMC</b>. The Cybersecurity Maturity Model Certification was developed by the U.S. Defense Department to protect critical government data used by contractors.</li>
<li><b>GPPR</b>. The EU <a href=”https://www.techtarget.com/whatis/definition/General-Data-Protection-Regulation-GDPR”>General Data Protection Regulation</a> specifies how data generated and used by EU member nations and other nations that work with EU member states is protected
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: