ojeb2
commented
7 months ago I am a member of both projects and there is an opportunity to collaborate across the two. LSEG will explore the overlap in two areas: CCC uses OSCAL for control specifications and OSCAL's System Security Plan refers to system boundary & diagrams.
CCC also plans to use CDMC data controls, including data dependencies/lineage/provenance.
We will update this issue as research is done.
Feature Request
Description of Problem:
The FINOS Common Cloud Controls project aims to "develop a unified set of cybersecurity controls for common services across the major cloud service providers (CSPs)". As part of this, it is developing a catalog of cloud services, and the relevant risks, controls and mitigations around those services.
There is an opportunity for these two projects to complement each other - for example some of the things we have discussed for a "security domain" for CALM may well already be present in CCC. Similarly, having a standard taxonomy of services that can be referenced from CALM would enable portability of CALM models between organisations. In the other direction, if CCC needs to describe infrastructure architectures then CALM could be extremely beneficial.
Potential Solutions:
If we have people who are members of both projects then they could help to describe the boundaries, get agreement across the two projects, and capture (in both places). They could also identify collaboration opportunities where an item intersects the two, and help bring the right people together to progress.