Feature - Compliance Correlation / Mapping

Basically to say “iso 3.4.5” matches to “pci 3.4.5 and 6.7.8” so what internal control i link to iso 3.4.5 automatically is also linked to those two pci ones.

Anyone for this?

2 Likes

:point_up: Yes, would be great. I thought about it when doing another compliance analysis with another package. Would maybe saved some time, but still it would have to be quite flexible: Maybe NIST PR 99 contains the full requirements of ISO 7.8.9, but in turn only part of the controls for NIST PR 99 are also applicable to ISO 7.8.9. Usually there is no 1:1 matching, that will increase the complexity.

Maybe it would be good to have the linked controls as recommendation? And we could just manually select the matching ones.

Hey have you come across the CSA matrix from the link below. Takes most of the hard work out of correlating different standards to each other.

Introduction

The idea is that users can define how two or more compliance packages match each-other, so for example:

  • Compliance Package X item 3.4.4 matches CP Y items 4.5.6 , 6.7, CP Z 5.6
  • Compliance Package Z 5.6 matches CP X 4.5 and CP J 5.6
  • CP A 4.5.6 is the same as CP A (yes, the same) 5.6.7, 7.4.3

This is a many to many relationship in between compliance package Items.

This is useful so when the user under compliance analysis makes a modification (adds a control, policy, project, strategy, etc) on 3.4.4 the system will automatically “copy” (or suggest) to 4.5.6 and 6.7 on the other compliance package. There could be a third compliance package Z mapped to CP Y … so this goes on and on if needed.

1/ every compliance package item has a unique hash calculated from:

  • chapter id
  • chapter name
  • item id
  • item name

This hash must be calculated every time any modification or insert is done on the compliance package section.

2/ under compliance packages, we need to give the user the option to do a mapping in between those selected compliance packages items, mapping would allow:

  • to tell what items are related in between compliance packages items
  • to tell the direction of the synchronisation:
    • Left (sync ONLY any change done on the LEFT to the RIGHT)
    • Right (sync ONLY any change done on the RIGHT to the LEFT)
    • Bidirectional (sync any change made on any one of them to the other)
  • tell the type of sync:
    • Automatically Copy (this will copy automatically the change)
    • Suggest Only (this would suggest to the user at the time of edition in compliance analysis)

Summary:

Note: B15 on the right has two compliance items linked to it , so you would need to copy all what A12 has AND suggest adding controls from B45? this could be buggy… i think in this situations copy overrides suggestions.

User Interface used for mapping (Add)

Under compliance packages we need one more tab called “Mappings” where we the user will see what mappings exist and will be able to edit, import or delete it. The menu should be: Mappings -> Add New|Saved->($MappingName) -> Import | Edit | Delete

When they click “Add New”:

  • A “General” tab has a single text field where the user can name the “Mapping”, the user must select what two compliance packages he/she plans to associate. Once this defined (the user saves the modal) it can not be changed.

  • On a second tab (or step two if we choose to make this a wizard) called “Mapping Associations” we show a filter where the columns are from left to right:

    • chapter id (of the first compliance package)
    • chapter name (of the first compliance package)
    • item id (of the first compliance package)
    • item name (of the first compliance package)
    • Sync direction
    • Sync type
    • Drop down with search and multiple select with all the items of the second compliance package (id chapter, chapter name, item id, item name)

The user also needs a quick “Reset” option to unselect a row completely

  • then the user can Save or Cancel. for those items that the user decided to use type “copy” you can now automatically copy using whatever the user defined.

This same modal is used for editing

User Interface used for mapping (Import)

When a mapping is created its associations do not have to be manually created, they can be imported with a CSV making the life of the user easier. the CSV format is basically the one shown above on the screenshot:

  • Compliance Mapping Name (maybe this is not necessary if the import option is “inside” the mapping)
  • Base CP item “Mapping Hash”
  • Direction (right, left, bidirectional)
  • Type (copy, suggestion)
  • Associated CP item “Mapping Hash” (one or more are valid here)

The user will need the “Mapping Hash” of every compliance package item, for that you need to include the “Mapping Hash” as a filter option on compliance package item tab.

The import must validate that all hash exists before they can be imported, you can NOT import a mapping association that already exists , so if the CSV includes a row that already exists you deny it “This association already seems to exist”.

“Already Exists” means that:

  • the Base CP item “Mapping Hash” and one or more of the defined Associated CP item “Mapping Hash” on the row in the CSV already exist on the database. either direction!

User Interface used for mapping (Index)

On the Compliance Package we need a few new filter options under a new “Tab” on the filters called “Mapped Items”

  • “Mapped Compliance Package Item” shows as a single string: “Compliance Package Name - Item Id - Item Name” of all items that are associated
  • “Mapping Direction”
  • “Mapping Type”

The same goes for the compliance analysis module , there is no inline-edit in any of them. On filters you can search as string, not as drop-down.

User Interface used for mapping (Compliance Analysis)

As described above there is a filter option on the compliance analysis module, when an item is edited we need a new tab (only if it has mapped items) that shows all associations for this item:

  • Items that affect this item
  • Items that this item affects

On each type , you show the “Compliance Package Name, Item Id, Item Name” and “Type” of sync

When you display fields on the compliance analysis “Edit” modal you have a few possibilities:

if [ item has associations type “copy” ] on every field on the modal you need to highlight in RED letters if the field value will be automatically updated with whatever sync it receives. “Modifications on this field wont take effect as this compliance item is associated with other items, please see the tab Mappings for details”.

if [ item has associations type “copy” ] on every field on the modal you need to have whatever values ALL associations to this item (there might be more than one) have and suggest them with red letters: “The following items are suggested based on the mappings for this compliance item, please see the tab Mappings for details”

Issues

  • duplicating a CP does what?

nothing really, is another CP in the end with the same mappings as the original CP from where the duplication took place

  • conflicting mappings (mapping A says do this mapping B says do the opposite)

You cant, when you add a new mapping group you cant allow a combination that already exists in one way or another. So if i defined A and C I can not define a second mapping group with CP C and A.

  • how to keep them updated when a standard changes?

No idea yet

ok - we are nearly done with this … it was harder we thought it would as mappings can have loops and loops are developers misery.

we wanted to offer a template of mappings, based on CSA CCM v3.01 (attached) we came up with a PCI v3.* to ISO 27001 … probably the other way around too. we dont know how good this mapping definitions are … that will be your task to judge and adjust.

we uploaded the documentation and made a quick video showing how the functionality works

2 Likes

We missed this field to be included on the sync:

github: https://github.com/eramba/eramba_v2/issues/2427

Also - rename the field to “Compliance Strategy” instead of the current name