The Inner Circle

 View Only
Expand all | Collapse all

To what other standard/framework CCM V4 should be mapped to?

  • 1.  To what other standard/framework CCM V4 should be mapped to?

    Posted May 19, 2023 06:03:00 AM

    Dear members,

    Mappings are a useful tool for cloud organizations to identify the equivalent (overlapping) security requirements between CCM V4 and a target framework, and more importantly the missing cloud-specific CCM security requirements (deltas), especially when cloud organizations are seeking to integrating these missing requirements within their cloud security and compliance programs.

    The CCM V4 is currently mapped with the following frameworks:

    • AICPA TSC (2017)
    • CCM v3.0.1
    • CIS v8.0
    • ISF SOGP 2022
    • ISO/IEC 27001 (2013, 2022)
    • ISO/IEC 27002 (2013, 2022)
    • ISO/IEC 27017 (2015)
    • ISO/IEC 27018 (2019)
    • NIST 800-53r5
    • PCI DSS v3.2.1

    Mapping to NIST CSF v1.1 is completed and soon is to be published.
    Mapping to PCI DSS V4 is in progress.

    What are other frameworks the CCM WG should prioritize to map CCM V4 with, and more importantly, why?



    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------


  • 2.  RE: To what other standard/framework CCM V4 should be mapped to?

    Posted May 23, 2023 03:58:00 AM

    Hello, I would say NIST CSF v2. An early release is already here to start to allow to plan: https://www.nist.gov/system/files/documents/2023/04/24/NIST%20Cybersecurity%20Framework%202.0%20Core%20Discussion%20Draft%204-2023%20final.pdf



    ------------------------------
    Louise Forrest
    Philip Morris International
    Philip Morris International
    ------------------------------



  • 3.  RE: To what other standard/framework CCM V4 should be mapped to?

    Posted May 24, 2023 06:20:00 AM
    Edited by Lefteris Skoutaris May 29, 2023 07:22:41 AM

    Thank you Louise.
    CSA has provided useful input to the NIST CSF team with regards to possible improvements for CSF v2.0 and the making of a cloud Profile for CSFv1.1 based on the mapping that was jointly conducted by the two teams.
    We are certainly interested in mapping CCM V4 to CSF v2.0. when a final version is published.
    Best regards,
    Lefteris



    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------



  • 4.  RE: To what other standard/framework CCM V4 should be mapped to?

    Posted May 24, 2023 07:46:00 AM

    Thanks for the phenomenal question Eleftherios. I am not sure what other framework because it seems so reliant on the dynamic of the matrix with the several ones it is already  mapped to. I suppose some critical observation of the current frameworks under the circumstance of organizations' desire to map missing requirements which can be reason to analyze both the existing frameworks, and perhaps one to come with regard to choosing additional frameworks. I suppose if the organizations knew what requirements that are missing were, a better scope development could be produced. The question is phenomenal rather the broad scope of organizations makes the probability of developing another scope to see another framework work. I will study more about this today.

    With Warm Regards,
    Victor Williams
    (850) 274- 7472
    [email protected]



    ------------------------------
    Victor Williams
    Certificate Holder
    NIST
    ------------------------------



  • 5.  RE: To what other standard/framework CCM V4 should be mapped to?

    This message was posted by a user wishing to remain anonymous
    Posted Jun 08, 2023 11:14:00 AM
    Edited by Stu Reckase Jun 09, 2023 04:18:49 PM
    This post was removed


  • 6.  RE: To what other standard/framework CCM V4 should be mapped to?

    Posted May 25, 2023 01:16:00 AM

    We're about to adopt NIS CAF, which maps nicely to the the NIST Framework.  I'm told many health services are adopting this approach.



    ------------------------------
    Paul Wright
    Genomics England Ltd
    Genomics England Ltd
    ------------------------------



  • 7.  RE: To what other standard/framework CCM V4 should be mapped to?

    Posted Jun 04, 2023 02:55:00 AM

    Hello,

    I think we need to include frameworks or standards in accordance bearing in mind countries or continents data sovereignty concerns limiting the use of public cloud which will give sense of security and also to ensure that even those who are building their very own cloud are benefiting from CCM.

    Regards,



    ------------------------------
    Hadir Labib
    ------------------------------



  • 8.  RE: To what other standard/framework CCM V4 should be mapped to?

    Posted Jun 04, 2023 09:23:00 AM
    I agree
    Victor Williams





  • 9.  RE: To what other standard/framework CCM V4 should be mapped to?

    Posted Jun 08, 2023 11:10:00 AM
    Edited by Francis Ohu Jun 09, 2023 04:14:19 PM

    - It may be wise to consider mapping the CCM controls to the IEC 62443 requirements to assess the security controls implemented by cloud service providers in the context of industrial control systems, and to the HITRUST CSF controls to evaluate the security controls implemented by cloud service providers handling healthcare data.  And Since CCM V4 also identifies applicable cloud architecture and organizational stack,  mapping to the SABSA security architecture framework could be considered as well.



    ------------------------------
    Francis Ohu
    Lead Cybersecurity Analyst
    Spacebott
    ------------------------------



  • 10.  RE: To what other standard/framework CCM V4 should be mapped to?

    Posted Jun 08, 2023 11:13:00 AM

    Hi Eleftherios,

    I am into media and entertainment industry. Do you think it will be a good idea to map it with Motion Picture Association MPAv5.1?

    Thanks

    Aaron



    ------------------------------
    Aaron Mathews
    Sr Manager, Cybersecurity
    OnPrem
    ------------------------------



  • 11.  RE: To what other standard/framework CCM V4 should be mapped to?

    Posted Jun 08, 2023 11:13:00 AM

    Maybe it is worth to include a HIPAA mapping as well? Could make the life of some folks easier



    ------------------------------
    Kevin Kloft
    Security Solutions Architect
    carmasec
    ------------------------------



  • 12.  RE: To what other standard/framework CCM V4 should be mapped to?

    Posted Jun 08, 2023 11:15:00 AM

    I could be a benefit to see a mapping to 800-171/CMMCv2. While the lift for FedRAMP is high, any business that contracts with Fed.gov will need at least a CMMC self certify.



    ------------------------------
    Derek Price
    Information Security Analyst
    DataBank IMX
    ------------------------------



  • 13.  RE: To what other standard/framework CCM V4 should be mapped to?

    Posted Jun 14, 2023 05:59:00 AM

    Thank you all for the valuable inputs. 

    All suggestions made are taken into account by the CCM WG and co-chairs, and in fact most of the frameworks mentioned are already in our queue list for development (however not all planned for 2023). 

    Future announcements on the next CCM V4 mapping projects will take place at the CCM WG channel.

    Please stay tuned.



    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------