CCI (Control Correlation Identifiers) – A better baseline framework
CCI Cybersecurity tackles the complex issues of NIST by dividing down controls into more manageable components. There are over 3,000 CCI controllers, but it does not mean there’s much more work to perform. It only implies every control specifies one necessity, making risk management and compliance jobs more straightforward to carry out.
NIST SP 800-53 is still the most extensive cybersecurity frame, but it has its failings. The controllers are inclined to be overly broad and, therefore, are challenging to follow compliance. Some compliance tools request users to present several 0-100 percentage compliance values for coverage, procedure, documentation, execution, manual action, and automation completeness to get every control. This is subjective and does not tell others what the openings are, requiring further documentation areas to say what work remains. A much better solution would be to simplify tests by dividing these distinct theories into various controls.
Below is your NIST SP 800-53 into CCI mapping to the Very First Access Control necessity. Taking a look at the NIST necessity, it specifies that “the company grows, records, and disseminates… an access control policy that addresses purpose, scope, functions, duties, management commitment, communication among organizational factors, and compliance”. And that is only the first of four bullet points. Measuring compliance for this management is much greater than a straightforward Yes/No. This is really where CCI Cybersecurity will provide help. DISA (the Defense Information Systems Agency) has broken up this NIST controller into 8 CCI controllers. This gives the granularity, which allows for more precise compliance checks and more straightforward Yes/No compliance checks.
CCI Cybersecurity Control
AC-1.1: The company defines the employees or functions to become recipients of their access control policy required to ease the execution of their access management policy and related access controls.
AC-1.2: The company defines the employees or functions to become recipients of all these processes essential to ease the execution of their access control plan and related access controls.
AC-1.3: Your company develops and records the access control policy that addresses purpose, scope, functions, duties, management commitment, communication among organizational factors, and compliance.
AC-1.4: The company disseminates the access control plan to organization-defined employees or functions.
AC-1.5: Your company develops and records processes to ease the execution of this access control plan and related access controls.
AC-1.6: The company disseminates the approaches to ease access management policy and related access controls into the organization-defined employees or functions.
AC-1.7: The company reviews and updates the access control coverage in agreement with organization-defined frequency.
AC-1.8: The company defines a frequency for reviewing and upgrading the access control policy.
NIST SP 800-53 Rev 4 Control
AC-1: ACCESS CONTROL | ACCESS CONTROL POLICY AND PROCEDURES
Control: The company:
Develops, documents, and disseminates into [Assignment: organization-defined employees or functions ]:
- An access control policy that addresses purpose, scope, functions, duties, management commitment, communicating among organizational factors, and compliance
- Approaches to facilitate the execution of this access control plan and related access controls;
- Reviews and updates today:
- Access management policy [Assignment: organization-defined frequency]; along with also
- Access management processes [Assignment: organization-defined frequency].
NIST SP 800-53 to CCI Cybersecurity Mapping for AC-1: Access Control
The DISA / DoD CyberExchange does a beautiful job describing how CCIs supply both considerable and non-invasive particulars.
“The Control Panel Identifier (CCI) gives a standard identifier and description to all one of those invisible, actionable statements which include an IA (Information Assurance) controller or IA finest practice. CCI bridges the difference between high-tech policy expressions and non-invasive technical implementations. CCI makes it possible for a security condition that’s expressed at a high-level policy frame to be decomposed and specifically connected with the low-level safety setting(s) that has to be evaluated to ascertain compliance with the aims of the particular security management. This ability to follow security requirements in their source (e.g.regulations, IA frameworks) for their low-level execution permits organizations to demonstrate compliance with numerous IA compliance frameworks easily. CCI Cybersecurity also provides a way to rollup and compare associated compliance evaluation results across disparate technology.”
CCI Cybersecurity resolves the issues of rival frameworks and compliance management applications:
- According to and readily mapped into your widely-accepted NIST SP 800-53 Length
- Free to use, modify, and distribute
- No seller succeeds with compliance gear.
- Traceable to nearly all other cybersecurity frameworks
- Performance-based frame, allowing the company to Ascertain its own Very Best way of compliance
- Prescriptive-based advice from the DoD for associations Searching for help with implementation
- Contains both high-level coverage best-practices and non-invasive data system security settings
- The Complete control policy with over 3,000 special controllers
- Each command is prioritized and categorized, and enabling organizations to Pick the controls appropriate for them.
- Grows with the business, as you can focus on crucial controllers to start and include more classes with Time
- Each controller is different, representing one granular requirement.
- Each command is qualitative, detailing an activity Which Can Be Taken in a data system or information Which Can Be acquired by reviewing an organizational plan.
- Each command is determinate and quantifiable.
- Automated compliance assessing for data system controls with Tenable Security Scanner along with other 3rd party applications.
- CCI compliance is Needed for DoD contracts, including FISMA, and DFARS
The Product Security and Privacy Framework Compliance Tools utilize CCI Cybersecurity for compliance checks from NIST SP 800-53. Rather than abstract 0-100% fashion surveys for every controller, users offer Yes/No/Partial replies, simplifying compliance and risk management.
At 3,000+ controllers, CCIs aren’t complete. Legal and Regulatory duties may call for specific controls which will not be located in a standard framework. Keep on reading to understand how cybersecurity frameworks can assist your business to reduce risk and ensure compliance.