Update Operational Best Practices for FFIEC > Control ID - D1.G.RM.Rm.1

[vkumbha]

Thanks for the great document on Operational Best Practices for FFIEC, which is of great help and gives a good understanding of governing our AWS Accounts better. We at Steampipe are relying on this to build compliance mod for FFIEC. While I was going through the FFIEC document to understand more about this, I did notice a small deviation in the Control ID for D1.G.RM.Rm.1

I believe the Control IDs in the document follow the pattern "Domain > Assessment Factor > Component > Maturity Level > Declarative Statement". Below is a screenshot from the FFIEC documentation which talks about the bits and pieces in the document.

For example: The below screenshot talks about the declarative statement from "Domain1 > Training and Culture > Training > Baseline > 2" Annual information security training includes incident response, current cyber threats (e.g., phishing, spear phishing, social engineering, and mobile security), and emerging issues. The Control ID for this corresponds to D1.TC.Tr.B.2.

Likewise, I believe the baseline "Domain 1 > Risk Management > Risk Management Program > Baseline > 1" should have the Control Id as D1.RM.Rm.B.1 and not D1.G.RM.Rm.1

Also, the "Control Description" for D2.TI.Ti.B.3 should be Threat information is used to enhance internal risk management and controls. and not Threat information is used to monitor threats and vulnerabilities.

I could be wrong in my approach as well, happy to learn and understand the deviation in naming the Control Id as D1.G.RM.Rm.1. Let me know if you need any more information. Thank you!

[dafolabi]

Thanks for the feedback! The documentation has been updated 👍

[vkumbha]

@dafolabi Thanks for updating the control description for D2.TI.Ti.B.3. However, I do not see the control ID change for D1.G.RM.Rm.1, I believe it has to be D1.RM.Rm.B.1.

[dafolabi]

Thanks for calling that out! Part of the update was delayed. The mapping table should now be fully updated