Monday, May 14, 2012


Get the 'Common Authorities on Information Assurance' spreadsheet here. (xlsx)

[2016-02-03 Update]
-- PCIv3.1 controls spreadsheet
-- NIST SP 800-53A r4 spreadsheet

Just back from London... where the joke was for me to close a deal at Hogwarts:).

I had some time on the plane to clean and organize material into a single source document. I have much more interesting stuff than this, but alas, I can't share it unless you're a customer. And I like you. And you know how to get into Hogwarts.

There are different spreadsheets floating around with ISO, PCI, NIST, HIPAA, and more so that you can play to your heart's content. Here's mine. Why do I do this? It's fun for me and it forces me to digest to a certain extent what's in there.

We have vCM and Archer, real tools for managing compliance. It does make a quick, compelling view into exactly why a (good) compliance management tool can be sooooo helpful. :) Have fun! It's under the documents tab.

The most complete set of controls? 
Recently a customer asked my opinion about what I thought was the most complete set of controls. There are several I like, and some that are far too narrowly focused to build a comprehensive program. My answer? NIST SP800-53. Here's a look at some commonly referred to sources.

Common Regulations, Standards, Audit Practices and Guides: SOX | GLBA | FFIEC | Basel II | FCRA | HIPAA | NERC | NRC | CFAA | FISMA | FRCP | FISCAMPrivacy Act of 1974 | Safe Harbor | NYSE | PCI-DSS | COSO  | CESG | NIST | ISO 27001:2005 | ISO/IEC 27002-2005 | OGC ITIL | BCI | CobiT | ISACA | AICPA | ISACA | OECD | CSA | ENISA