Consistency between 1.4 and 2.1 or added context

CISecurity / ControlsAssessmentSpecification

Controls Assessment Specification

Other

65 stars 56 forks source link

Consistency between 1.4 and 2.1 or added context #1

Open planglois925 opened 5 years ago

planglois925 commented 5 years ago

Controls

Control 1.4: Maintain Detailed Asset Inventory https://controls-assessment-specification.readthedocs.io/en/latest/control-1/control-1.4.html

Control 2.1: Maintain Inventory of Authorized Software https://controls-assessment-specification.readthedocs.io/en/latest/control-2/control-2.1.html

Comment

Is there a documented logic as to why these controls while conceptually similar take different approaches towards defining Measures + Metrics?

ginger-anderson commented 1 year ago

Hey PL!

The logic here was that 1.4 is more focused on tooling and ensuring the tooling is working/configured appropriately across relevant assets to help update the inventory. 2.1 is more generic since we do not know if enterprises will be using tooling or not, and we do not make a recommendation either way. Does this help? If not, we can discuss further.

v/r Ginger

ginger-anderson commented 1 year ago

PL,

Was this for Controls v7.1 or CAS 1.0? If so, closing.