Comments (3)
Have been playing with this too. For example to add PCI-DSS mappings to NIST 800-53 control responses... don't want to create entirely separate bodies of work for each standard.
Some example code of having PCI-DSS and NIST 800-53 in the same response:
https://github.com/opencontrol/schemas/blob/master/examples/component_v3.1.0.yaml
That approach still requires copy/pasting responses to map against multiple standards. Have been debating about restructuring a new component schema to something like this:
(answer for PCI-DSS control 1.1, but also maps answer to NIST 800-53 AU-5 and CM-6)
- control_key: 1.1
implementation_status: partial
parameters:
- key: "a"
text: "Parameter A for 1.1"
- key: "b"
text: "Parameter B for 1.1"
narrative:
- key: "a"
text: "Justification in narrative form A for 1.1"
- key: "b"
text: "Justification in narrative form B for 1.1"
standard_key: PCI-DSS-MAY-2015
standard_mappings:
- control: AU-5
- control: CM-6
from discuss.
I think that could work as a minimal change to the existing schema. I think that you'd need to have a standard_key in with the mappings though. Something more like this:
- control_key: 1.1
implementation_status: partial
parameters:
- key: "a"
text: "Parameter A for 1.1"
- key: "b"
text: "Parameter B for 1.1"
narrative:
- key: "a"
text: "Justification in narrative form A for 1.1"
- key: "b"
text: "Justification in narrative form B for 1.1"
standard_key: PCI-DSS-MAY-2015
standard_mappings:
- key: NIST-800-53
control: AU-5
control: CM-6
IMO, you probably need to go farther to have this work the way it should though. That would mean putting all of the mappings into a mapping array and move the parameters in there as well. Unless I misunderstand parameters (totally possible), they are meant to indicate values for 'selectable' items in the standard. Since different standard texts will have different parameters, you would want them to go w/ the standard mapping. If you did that, you'd end up w/ something more like this:
- narrative:
- key: "a"
text: "Justification in narrative form A for 1.1"
- key: "b"
text: "Justification in narrative form B for 1.1"
implementation_status: partial
standard_mappings:
- standard: PCI-DSS-MAY-2015
control: 1.1
parameters:
- key: "a"
text: "Parameter A for 1.1"
- key: "b"
text: "Parameter B for 1.1"
- standard: NIST-800-53
control: AU-5
control: CM-6
All of that is a pretty big shift though.
Control sharing starts to break down if you look at the keys in the narrative though. I don't have an idea for that yet other than to suggest avoiding modeling the control description too closely to the standard text and not use key references.
from discuss.
Is this still open or overcome by events?
from discuss.
Related Issues (20)
- introductions to security compliance? HOT 7
- OpenControl edit workflow for non-technical users? HOT 6
- Set of partials == complete? HOT 7
- Script to convert FedRAMP controls spreadsheet to opencontrols files HOT 2
- add new root repository: introduction - with examples HOT 1
- re-org of repositories with table of contents for all HOT 1
- Risk assessment schema: Extend to three question types and provide validation HOT 5
- Translation of RiskVision controls spreadsheet to opencontrol YAML HOT 4
- has anyone done textual analysis of SSPs, or tried automating feedback on them? HOT 15
- OpenControl template HOT 4
- public SSPs? HOT 9
- As someone who isn't able to sign up for accounts, I want to be able to follow / participate in OpenControl HOT 3
- Introduction to ATOs HOT 1
- Map Components to Multiple Certifications HOT 8
- listening for control changes HOT 5
- code for parsing SSPs? HOT 3
- FedRAMP Challenges HOT 6
- Starting OpenControl Virtual Meetings HOT 9
- OpenControl Agenda topics HOT 1
- Is OpenControl deprecated? HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from discuss.