Help needed in modeling control objectives and requirements
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2024 09:29 AM
Hi,
I am at present trying to prototype automated control monitoring using Indicators.
I have installed NIST CSF Usecase Accelerator. I am getting data from AWS and checking if all the AWS resources are compliant against the following
PR.DS-5 : Protection against data leaks are implemented.
a) SNS topics are encrypted with AWS Key Management Service (AWS KMS)
b) Recovery point is encrypted
c) AWS CloudTrail encryption is enabled
NIST Use case accelerator has configured PR.DS-5 as a control objective. Hence I have configured
- the SNS topic, Recovery point and AWS CloudTrail as downstream control objective for PR.DS-5.
- there are no entity-types attached at PR.DS-5 control objective. However,
- entity type: AWS SNS is attached to the control objective: SNS topics are encrypted with AWS Key Management Service (AWS KMS)) and
- AWS CloudTrail entity type is attached to the control objective(AWS CloudTrail encryption is enabled)
- indicator templates are attached to each of the downstream control objectives to check for compliance.
I am an IT developer just learning ServicenowGRC. I don't have much idea about how such scenarios are modeled in organizations. Is there any other better way to model these control objectives?
Would it be better to model them the following way -
Control objective - PR.DS-5 : Protection against data leaks are implemented.
Control requirement - All AWS resources should be encrypted wherever applicable
Configuration control table - Configure specific items
a. SNS topics are encrypted with AWS Key Management Service (AWS KMS)
b. Recovery point is encrypted
c. AWS CloudTrail encryption is enabled
In the above case, should the Indicator validate compliance as specified in the configuration control table for each control requirement for the control objective? ie Indicator should look for data in control objective, requirement and configuration control.
Kindly suggest which of the two ways - hierarchical control objectives or control objective->control requirement->configuration control is better? Or if there another alternative, please suggest.
Thanks,
Krithika
0 REPLIES 0
