Hi,
Actually, that is a discussion that occurred a few days ago. For some idea, you can look at the Security Guidance for Version 4 which gives in some areas a hint of coverage.
https://cloudsecurityalliance.org/artifacts/security-guidance-v4/Unfortunately, given the order of development, there is not yet a 1 to 1, 2 to 1 or 1 to 2, etc. mapping between the guidance and CCM domains.
Domain definitions still need to be written specifically for the CCMv4 Domains and I'm positive it will be done by the time CCMv4 is issued.
------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------
Original Message:
Sent: Oct 30, 2020 08:35:08 AM
From: Chris Burton
Subject: Continuous Metrics - Do We Have Good Domain Definitions
Agree. It's sometimes difficult to get a handle on what the domain's overall intent is, by trying to figure it from its constituent controls.
------------------------------
Chris Burton
Senior Compliance Analyst
Kenna Security
Original Message:
Sent: Oct 30, 2020 08:28:47 AM
From: Jonathan Lewis Christopherson
Subject: Continuous Metrics - Do We Have Good Domain Definitions
As we build out the specific Metrics for each line item in a domain, is there a good, definitive description of the domain intent?
In some cases, such as the IPY domain, we have discovered that there are multiple ways to interpret the intent of a domain and it's requirements, and those interpretations can dramatically change the specific metrics that are being proposed to measure them.
Thoughts? Thanks!
------------------------------
JLC
------------------------------