Open weirdscience opened 5 years ago
Is there a way to use the same component file to track compliance with two certifications that use different marking taxonomies
Yes, OpenControl Components can refer to multiple frameworks by having multiple satisfies
entries.
can someone share an example
Not sure I know of one, sorry!
I'm not so much interested in writing an SSP (or CPS in the PKI world) as much as maintaining compliance with the standards
For a particular system, or the mapping in isolation?
Here's an example and the test repo I setup - https://github.com/weirdscience/OpenControl-PKI-Compliance
For example, I'm working with four standards (Google, Microsoft, Adobe, and Mozilla) and they all have the same system availability requirement but each standard do not follow a standardized numbering or control scheme. For example the requirements might look like this: Google 4.1 Adobe 1.1 Microsoft A-1n Adobe xiii
I list that control in section 2 of my compliance document. How would I map those standard requirements to a single satisfies section in my components file?
Is there a way to use the same component file to track compliance with two certifications that use different marking taxonomies
Yes, OpenControl Components can refer to multiple frameworks by having multiple
satisfies
entries.
Would that look like this? The same text in each satisfies entries?
satisfies:
control_key: AC-17 covered_by: [] implementation_statuses:
control_key: PCI-17 covered_by: [] implementation_statuses:
I'm not so much interested in writing an SSP (or CPS in the PKI world) as much as maintaining compliance with the standards
For a particular system, or the mapping in isolation?
For a system. Ignore that because it may eventually be used to draft the document if the format is correct.
Has anyone used the same components yaml for multiple certifications and did not have to repeat the same satisifies statements?
Has anyone been successful at this?
?
@weirdscience, are you in the slack channel? There might be somebody that may know just enough to get you a response there.
@weirdscience did you ever find one or start the discussion in slack? I think this is a great place to start and would be interested in what you have come across. You might want to check this out as well https://github.com/redteam-project/sckg
Repost from certifications and standards repo,
Is there a way to use the same component file to track compliance with two certifications that use different marking taxonomies (e.g PCI and FISMA or SOC2 and FISMA)? If so, can someone share an example, love it.
I'm working on a project to maintain compliance with a couple different standards and certifications related to PKI. I'm not so much interested in writing an SSP (or CPS in the PKI world) as much as maintaining compliance with the standards when they change. Depending on the standard, they might be in the same format (RFC 3647) or just a bullet list. I wanted to use opencontrol to do this. It's not FISMA, but still a federal system and I'm not interested in FISMA it's outside of my scope.