- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2024 06:48 AM
Hi all,
Due to Control Objective source "NIST 800-53-r4" and "NIST 800-53-r5" I'm noticing 'duplicate' control objectives (with same name, but with different source)
Example
Reference: AC-1, Source:NIST 800-53-r4
Reference: AC-1, Source:NIST 800-53-r5
What is you best practice when it comes to mainining control objectives is such situation. Ideally I would like to see on "r5" ones, but I highly welcome your approach to dealing with them and which one(s) are you using.
Thanks in advance for your comments.
V.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-09-2024 02:29 AM
Hi @Valqe ,
I would take this back to my compliance team in the company to verify if my company want to comply with NIST 800-53-R5 (over R4) , what's their preference. Based on the input i get, i would either make the duplicate record as inactive or refrain from using.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2024 07:13 AM
Hi @Valqe ,
While Importing the Control objectives, you can write a Transform map with coalesce on "Name" Field in the
sn_compliance_policy_statement table.
The coalesce option allows you to update existing target table records when transforming import data.
The coalesce option on a field map allows you to specify if the selected Target field should be used to coalesce on when import set records are transformed. If the field map Coalesce checkbox is selected, when the import set row is transformed the instance checks for an existing record in the target table that has the same value in the Target field as the import set row Source field.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2024 08:20 AM
Thanks for your quick response @Community Alums - I appreciate your comments.
My issue is that I did not import control objectives at all. They got automatically created/populated when NIST Use Case Accelerator plugin got installed/updated. Such records got pushed by ServiceNow.
Based on your experience, I want to guess you would take advantage of NIST 800-53-R5 (over R4) - would that be a good asumption? Also, do you think it is a good idea to set ative=false for R4 ones? (issue in this situation is that control objectives that are linked to a published policies get read-only and there is no way to modify them with published policies).
I welcome best practices and comments on this situation 🙂
Thanks in advance
Valqe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-09-2024 02:29 AM
Hi @Valqe ,
I would take this back to my compliance team in the company to verify if my company want to comply with NIST 800-53-R5 (over R4) , what's their preference. Based on the input i get, i would either make the duplicate record as inactive or refrain from using.