Comments (3)
shawndwells
commented on August 18, 2024
Have been playing with this too. For example to add PCI-DSS mappings to NIST 800-53 control responses... don't want to create entirely separate bodies of work for each standard.
Some example code of having PCI-DSS and NIST 800-53 in the same response:
https://github.com/opencontrol/schemas/blob/master/examples/component_v3.1.0.yaml
That approach still requires copy/pasting responses to map against multiple standards. Have been debating about restructuring a new component schema to something like this:
(answer for PCI-DSS control 1.1, but also maps answer to NIST 800-53 AU-5 and CM-6)
- control_key: 1.1
implementation_status: partial
parameters:
- key: "a"
text: "Parameter A for 1.1"
- key: "b"
text: "Parameter B for 1.1"
narrative:
- key: "a"
text: "Justification in narrative form A for 1.1"
- key: "b"
text: "Justification in narrative form B for 1.1"
standard_key: PCI-DSS-MAY-2015
standard_mappings:
- control: AU-5
- control: CM-6
from discuss.
riskpeep
commented on August 18, 2024
I think that could work as a minimal change to the existing schema. I think that you'd need to have a standard_key in with the mappings though. Something more like this:
- control_key: 1.1
implementation_status: partial
parameters:
- key: "a"
text: "Parameter A for 1.1"
- key: "b"
text: "Parameter B for 1.1"
narrative:
- key: "a"
text: "Justification in narrative form A for 1.1"
- key: "b"
text: "Justification in narrative form B for 1.1"
standard_key: PCI-DSS-MAY-2015
standard_mappings:
- key: NIST-800-53
control: AU-5
control: CM-6
IMO, you probably need to go farther to have this work the way it should though. That would mean putting all of the mappings into a mapping array and move the parameters in there as well. Unless I misunderstand parameters (totally possible), they are meant to indicate values for 'selectable' items in the standard. Since different standard texts will have different parameters, you would want them to go w/ the standard mapping. If you did that, you'd end up w/ something more like this:
- narrative:
- key: "a"
text: "Justification in narrative form A for 1.1"
- key: "b"
text: "Justification in narrative form B for 1.1"
implementation_status: partial
standard_mappings:
- standard: PCI-DSS-MAY-2015
control: 1.1
parameters:
- key: "a"
text: "Parameter A for 1.1"
- key: "b"
text: "Parameter B for 1.1"
- standard: NIST-800-53
control: AU-5
control: CM-6
All of that is a pretty big shift though.
Control sharing starts to break down if you look at the keys in the narrative though. I don't have an idea for that yet other than to suggest avoiding modeling the control description too closely to the standard text and not use key references.
from discuss.
its-a-lisa
commented on August 18, 2024
Is this still open or overcome by events?
from discuss.
Related Issues (20)
- introductions to security compliance? HOT 7
- OpenControl edit workflow for non-technical users? HOT 6
- Set of partials == complete? HOT 7
- Script to convert FedRAMP controls spreadsheet to opencontrols files HOT 2
- add new root repository: introduction - with examples HOT 1
- re-org of repositories with table of contents for all HOT 1
- Risk assessment schema: Extend to three question types and provide validation HOT 5
- Translation of RiskVision controls spreadsheet to opencontrol YAML HOT 4
- has anyone done textual analysis of SSPs, or tried automating feedback on them? HOT 15
- OpenControl template HOT 4
- public SSPs? HOT 9
- As someone who isn't able to sign up for accounts, I want to be able to follow / participate in OpenControl HOT 3
- Introduction to ATOs HOT 1
- Map Components to Multiple Certifications HOT 8
- listening for control changes HOT 5
- code for parsing SSPs? HOT 3
- FedRAMP Challenges HOT 6
- Starting OpenControl Virtual Meetings HOT 9
- OpenControl Agenda topics HOT 1
- Is OpenControl deprecated? HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from discuss.