This functional illustration shows how standards and regulations correlate with specific requirements, policies, controls, and audit points. I created a version of this illustration for a group of RSA SEs learning Archer as a way to quickly bridge the gap between authority documents (standards and regulations) and audits while keeping important details.
Standards and regulations - Authorities - contain requirements which when documented become policies and procedures. That's simple enough. Controls are implemented to ensure policies are followed. Again - straight forward. Controls are then audited on a periodic basis to ensure controls align with policies and required compliance mandates. Make sense?
This is a simple compliance model. There is a different model and view of security of which this becomes a component.
PCI-DSS Example
Standards and regulations - Authorities - contain requirements which when documented become policies and procedures. That's simple enough. Controls are implemented to ensure policies are followed. Again - straight forward. Controls are then audited on a periodic basis to ensure controls align with policies and required compliance mandates. Make sense?
This is a simple compliance model. There is a different model and view of security of which this becomes a component.
PCI-DSS Example
- Authority: PCI-DSS is the authority document created by the PCI-SSC.
- Requirement: (10.6) Review logs for all system components at least daily.
- Policy: Monitoring Policy – States logs will be reviewed at least daily.
- Control: RSA enVision provides real-time monitoring for all system components.
- Audit: Auditor verifies RSA enVision is appropriately monitoring and alerting to actionable events. Audit results and evidence are stored as part of the audit.
 |
| Authorities to Audits |
