How to configure control objective hierarchy

Go to solution
KrithikaV
Tera Expert

‎08-28-2024 04:35 PM

Hi,
I have the following control objective in NIST CSF :

PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties

For this, we perform the following two assessments and produce evidence:
1. AWS IAM inline policy feature is not in use
2. AWS Identity and Access Management (IAM) policies cannot have Allow statements that grant permissions to all actions on all resources

Should I configure the two assessments as child control objective for the parent NIST CSF PR.AC-4 control objective? How should entity and entity types be configured?
I am thinking of configuring the NIST CSF PR.AC-4 as the parent control objective and the two assessments as child control objectives. I would be configuring entity types for the child control objectives and have indicators to monitor these controls based on our assessment output. 
The parent NIST CS PR.AC-4 would not have any entity type or indicators configured as according to the documentation, the entities, compliance score, indicators, monitoring etc will roll up to the parent and I don't have to configure anything explicitly for the parent. Is my understanding correct? If not, how else should I handle this situation.

Thanks in advance
0 Helpfuls
  • 672 Views
1 ACCEPTED SOLUTION

Go to solution
Community Alums
Not applicable

‎08-28-2024 08:54 PM

Hi @KrithikaV ,

You are correct in your approach. PR.AC-4: should be your parent control objective with no entity type and having below as 2 child Control objective where you connect the entity types such that control gets created and you can attest and provide evidence.

1. AWS IAM inline policy feature is not in use
2. AWS Identity and Access Management (IAM) policies cannot have Allow statements that grant permissions to all actions on all resources
 
What i also think  is ,if you do not want to go with attestations and evidence not required, you can follow the Policy Campaign route as well .
However, as per you ask of attestation and evidencing, your approach is fine.
 
 

View solution in original post

0 Helpfuls
1 REPLY 1

Go to solution
Community Alums
Not applicable

‎08-28-2024 08:54 PM

Hi @KrithikaV ,

You are correct in your approach. PR.AC-4: should be your parent control objective with no entity type and having below as 2 child Control objective where you connect the entity types such that control gets created and you can attest and provide evidence.

1. AWS IAM inline policy feature is not in use
2. AWS Identity and Access Management (IAM) policies cannot have Allow statements that grant permissions to all actions on all resources
 
What i also think  is ,if you do not want to go with attestations and evidence not required, you can follow the Policy Campaign route as well .
However, as per you ask of attestation and evidencing, your approach is fine.
 
 
0 Helpfuls