Closed mcleo-d closed 11 months ago
Apologies i couldn't make the meeting (catching up async). Given the questions posed in #49 , does it make sense to have members annotate here (or in the repo) the existing frameworks and standards they currently adhere to and tag them with various elements so we can answer both questions? It doesn't need to be incredibly detailed but enough that we can develop comprehensive answers to these questions between #49 and #50. I suspect this is something this group will inevitably need if we're going to establish Common Controls.
I would also recommend potentially capturing if each entity has additional internal policies/controls that supplement or close gaps where these regulations, frameworks, standards dont cover (not to be confused with the NIST controls that define organizational values and parameters, those are assumed to exist and dont need addressed here.)
Title | Use | Adoption | Auditability | Mitigating |
---|---|---|---|---|
title of framework/regulation/standard | conditions under which it applies | Whole / In part / Modified / NA | Yes - Whole, Manual / Yes - Partial, Manual / Yes - Whole, Automated / Yes - Partial, Automated / No | Complete / Partial (requires: supplemental [external link or mark as Org Specific Policy]) / Negligible (gaps: doesnt consider containerized deployments, missing serverless applications) |
This item was closed with https://github.com/finos/common-cloud-controls/issues/9
Shared Google Doc for White House RFI Response
Please find the shared Google Doc for White House RFI response below ... -https://docs.google.com/document/d/1qIgjIVQtQgNd-DdhzVia_VKhWa_gsV5maPDQG-KzyXI/edit?usp=sharing
Question 4 : Whitehouse RFI
Third-Party Frameworks β Both the government (for example, through the NIST Cybersecurity Framework) and non-government third parties have developed frameworks and related resources that map cybersecurity standards and controls to cybersecurity outcomes. These frameworks and related resources have also been applied to map controls to regulatory requirements, including where requirements are leveled by multiple agencies.
a. Please identify such frameworks and related resources, both governmental and nongovernmental, currently in use with respect to mitigating cybersecurity risk.
b. How well do such frameworks and related resources work in practice to address disparate cybersecurity requirements?