Page 156 - Kaleidoscope Academic Conference Proceedings 2021
P. 156
2021 ITU Kaleidoscope Academic Conference
Figures 1, 2 and 3 illustrate the spreadsheet anchor If the same framework and mappings were stored in a
framework limitation to mappings using the Cyber Risk relational database, a many-to-many data architecture, any
Institute (CRI) framework, Financial Services Sector framework could easily serve as the “anchor” framework,
Coordinating Counsel (FSSCC) framework, and NIST and all the mapping relationships of any objective of any
800-53 r4 in spreadsheets with maps located in the framework could easily be visualized and analyzed.
extreme right columns of the spreadsheet. Therefore, spreadsheets are not the tool of choice to support
the critical work of mapping between control frameworks.
Inter-framework mapping: Finding and documenting
the relationships between objectives in frameworks
(mapping) is important because a given organization
may be governed by and accountable to multiple
frameworks in their authorities, concurrently. If an
expert who thinks in terms of Framework-A needs to
talk to another expert who thinks in terms of
Framework-B, A-to-B mapping are essential. From a
data architecture perspective, the relationships between
today’s frameworks are complex. Many-to-many
relationships are natural dominant species as opposed
to simpler one-to-one or one-to-many relationships.
Spreadsheet tools are popular and simple to use but they
are not effective in modeling many-to-many
relationships – mappings.
Figure 1 – CRI framework and mapping
Decomposition: The process of objective
decomposition is complex and critical to the notion of
scope and gaps. What is it exactly that I must do given
the uniqueness of my environment? That will not be
found in the objective description. Today, frameworks
provide a single parent decomposition of objectives to
more refined sub-objectives down 2 or 3 levels. All
frameworks naturally contain coverage gaps unique to
the “blind spots” or scope constraints of its authors.
Today, performing decomposition in spreadsheets is
challenging. For example, objective: data
confidentiality naturally yields many security control
requirements (“Requirements”), e.g., Data-in-Transit,
Figure 2 – FSSCC framework and mapping
Data-at-Rest, Data-in-Use security; and each of those
yield many security control specifications
(“Specifications”), e.g., structured and unstructured
Data-at-Rest security. Ultimately the decomposition
process will yield a very large number of relationships
between actual implemented assets and actual delivered
security mechanisms. It is currently not possible to
perform this process with ease and precision.
The challenge of identifying and closing objective
scope gaps increases dramatically when two objectives
from two frameworks are compared. In contrasting two
objectives, the control overlaps and control gaps are not
obvious. The process of decomposition towards
Figure 3 – NIST 800-53 framework and mapping increasing “singular uniqueness,” is a process towards
identifying unique and unambiguous threat-target-
It is impossible with the inherent limitation of spreadsheets security relationships.
to choose an objective from a non-anchor mapped
framework (on the right of figures 1-3) and see how it relates In Silos: a general principle in organizational security
to the other frameworks in the spreadsheet. This is because is groupings by Threat/Red Team/Incident
of the one-to-many data architecture limitation of Response/Detective controls; Security/Blue
spreadsheets. Team/Preventive controls; Policy/Program
– 94 –
