Sunday, October 30, 2016

2016 Controls Map - Indexed to NIST - Free Gift

Delivered to you with pleasure and as a courtesy of one of the best managers I have had. Jerry Breaud trusted me to run with my gut instinct and allowed me to work on a personal project designed from its initial conception to give as much to the community as it does to our company.

Thank you to VMware and Intel, both of whom supported this effort and allowed me to create, validate, and openly give this information back to the community so that others can benefit from this work product.

Download! 
You can find the mapping under the documents tab. Direct link here.

Look for 2016 Controls Map New_River_v5 CG (012).xlsm. Please note this is a macro-enabled spreadsheet. View the macro using [ALT]-[F11].

Quick Summary
The purpose of the build kit is to create a blueprint for a repeatable solution that is capable of meeting multiple compliance requirements. The objective is to build the solution properly the 1st time, and have the solution meet the technical control requirements for multiple regulations, standards, and best practices. While we have appreciation and understanding for administrative and physical controls, our focus is understandably on the technical configuration and setup of these complex virtual systems.

Challenge
We continue to see large multinational organizations struggling with the complexity of multiple regulations and required combined control frameworks. We have spoken with senior security and compliance executives from financials, defense, and many other entities with sensitive data. This is a serious and daunting problem – and we have good news.

Opportunity
The opportunity is to create a sustainable common controls baseline to address multiple regulations and standards. It's as simple as this. The result helps organizations quickly to a lowest common denominator set of technical configurations that collectively create a technical build gold configuration. This is a baseline set of configurations with a target of achieving 90+ % compliance for a majority of authoritative sources out-of-the-box aligned with NIST controls.

Execution
Someone recently looked at the body of work and made the assumption we simply borrowed from existing mappings. We looked. And were not satisfied with the accuracy and usefulness of the common existing mappings out there. This was several months of heads-down effort reviewing every single control and then getting two different third party audit firms to supplement the effort.
  • Review and complete where necessary control mappings from common regulations, standards, and best practices into NIST.
  • Identify any control gaps and create an effective control overlay. 
  • Independently validate results by at least 2 different consulting companies formally, and informally with a number of peers.

Deliverable
The incredible work NIST has done with bodies of work like NIST SP800-160 Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems by Dr. Ron Ross, Michael McEvilley, and Janet Carrier Oren greatly inspired our team. We borrowed generously from these materials.
  • Recommended common control alignment map to NIST with additional control overlays addressing multiple regulations and standards. 
  • Recommended product configurations, security solutions, and specific design requirements to create repeatable, compliant, secure systems.

But I didn't think PCI mapped directly into SP800-53?
It doesn't. Please allow me to introduce the concept of overlays in case you haven't run across them before. Taken from the summary document...

[...] To help ensure that selected and implemented controls are sufficient to adequately mitigate risks to organizational operations and assets, SP 800-53 Rev. 4 introduces the concept of overlays. An overlay provides a set of security controls, control enhancements, and supplemental guidance for community-wide use or to address specialized requirements, technologies, or unique missions and environments of operation. For example, the federal government may decide to establish a government-wide set of security controls and implementation guidance for public key infrastructure (PKI) systems that could be uniformly applied to information. [...]