How mapping security controls can ease the compliance burden

<p>CISOs and their teams are expected to demonstrate compliance with a range of regulations, frameworks and standards. With an alphabet soup of frameworks — NIST, ISO, PCI DSS, HIPAA, GDPR and many other country- or sector-specific mandates — there is a growing risk of duplicating effort, control gaps and audit fatigue.</p>
<p>CISOs can simplify governance by mapping security controls to the various domestic and international <a href=”https://www.techtarget.com/searchsecurity/tip/IT-security-frameworks-and-standards-Choosing-the-right-one”>standards and regulations addressing cybersecurity</a> through a unified control architecture.</p>
<section class=”section main-article-chapter” data-menu-title=”Why control mapping matters”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Why control mapping matters</h2>
<p>Enterprises that are required to demonstrate regulatory compliance must prove how they comply. In addition to a variety of audit tests, a map of the controls being used and the corresponding standards is an important piece of audit evidence.</p>
<p>Without a control map, CISOs and their teams can face redundant efforts when connecting controls to specific requirements, a lack of consistent application of controls within the enterprise and additional work gathering evidence for an audit.</p>
<p>Security teams can save time and effort by building a structured map of controls and requirements, consolidating all mapping into a single assessment. This helps <a href=”https://www.techtarget.com/searchsecurity/tip/Build-a-strong-cyber-resilience-strategy-with-existing-tools”>strengthen cyber resilience</a> by establishing a holistic baseline.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”How to build a control-mapping strategy”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>How to build a control-mapping strategy</h2>
<p>Prior to preparing a control/standard map, define the overall strategy. This helps CISOs, auditors and regulators assess and verify compliance, minimizes duplication and enhances governance. The key is to define scope, establish a baseline control language and create a flexible and reusable mapping model. Adding AI to the process helps accelerate map preparation and assists with ongoing maintenance.</p>
<p>Obtain the most relevant and authoritative sources. Among the most important are:</p>
<ul class=”default-list”>
<li><b>NIST CSF (Cyber Security Framework)</b>. This framework provides guidance across a broad range of cybersecurity issues; implementation is voluntary.</li>
<li><b>NIST SP 800-53</b>. Designed for government use, these cybersecurity controls can be used by the private sector. Implementation is voluntary but considered essential for demonstrating compliance.</li>
</ul>
<ul class=”default-list”>
<li><b>ISO/IEC 27001</b>. <a href=”https://www.techtarget.com/whatis/definition/ISO-27001″>This is the global cybersecurity standard</a>; compliance must be officially demonstrated.</li>
<li><b>CIS Controls</b>. Developed by the U.S. Center for Internet Security, there are 18 specific controls to address; implementation is voluntary.</li>
<li><b>SOC 2 Security Controls</b>. Developed to comply with the AICPA’s Trust Services Criteria, these are auditable controls.</li>
<li><b>HIPAA</b>. The <a href=”https://www.techtarget.com/searchhealthit/definition/HIPAA”>HIPAA</a> security controls, which are mandatory in healthcare, can be applied in many industries; compliance must be officially demonstrated.</li>
<li><b>PCI DSS</b>. The <a href=”https://www.techtarget.com/searchsecurity/definition/PCI-DSS-Payment-Card-Industry-Data-Security-Standard”>Payment Card Industry Data Security Standard</a> is a mandatory requirement for organizations in the payment industry; it has six control objectives that delineate 12 specific requirements.</li>
<li><b>FedRAMP</b>. Based on NIST SP 800-53, these mandatory controls were designed for cloud service providers that handle federal data.</li>
<li><b>CMMC</b>. The Cybersecurity Maturity Model Certification was developed by the U.S. Defense Department to protect critical government data used by contractors.</li>
<li><b>GPPR</b>. The EU <a href=”https://www.techtarget.com/whatis/definition/General-Data-Protection-Regulation-GDPR”>General Data Protection Regulation</a> specifies how data generated and used by EU member nations and other nations that work with EU member states is protected

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Search Security Resources and Information from TechTarget

Read the original article: