harmony: intelligent framework mapping - intelligent...harmony: intelligent framework mapping...
TRANSCRIPT
-
Confidential
HARMONY: INTELLIGENT
FRAMEWORK MAPPING
Helping organizations manage
multiple cybersecurity frameworks
as one mapped program
March 31, 2019
-
Apptega Inc. • 75 5th Street • Suite 2180 • Atlanta, GA 30308 888-221-3911 • [email protected]
Confidential pg. 2
Version Date Last Updated Featured Changes 1.0 3/31/2019 Initial version of framework
mapping
Contents Harmony Overview ...................................................................................................................................... 3
Mapping Methodology ................................................................................................................................. 3
Which Security Frameworks Are Included? .................................................................................................. 4
What is Not Included? ................................................................................................................................... 4
How to Create a Mapped Program ............................................................................................................... 4
What Happens to my Existing Data When I Create a Mapped Program? .................................................... 6
Dominant Sub-Controls ............................................................................................................................. 6
Data Replication ........................................................................................................................................ 7
Navigating the User Interface ....................................................................................................................... 9
How to Generate a Report .......................................................................................................................... 11
How to Uncouple a Mapped Program ........................................................................................................ 13
How to Add a Framework to a Mapped Program ....................................................................................... 14
Glossary ....................................................................................................................................................... 15
Disclaimer.................................................................................................................................................... 15
-
Apptega Inc. • 75 5th Street • Suite 2180 • Atlanta, GA 30308 888-221-3911 • [email protected]
Confidential pg. 3
Harmony Overview
Organizations often use multiple frameworks to guide their cybersecurity strategy. At Apptega we understand managing several frameworks simultaneously can be very duplicative and inefficient. Released in the Spring of 2019, Harmony enables our customers to manage multiple frameworks as one mapped program. Harmony provides an easy and efficient way for organizations to comprehensively manage security and compliance by consolidating thousands of sub-controls from Apptega's entire library of frameworks into a unified set of common controls and sub-controls - translating to over 50% efficiencies in time, effort, and resources.
Mapping Methodology
The Apptega team carefully analyzed the controls and sub-controls across all supported
frameworks and paired them as common controls and sub-controls using industry guidance,
best practices, and certified security and compliance experts. The resulting database is a
consolidation of thousands of control and sub-control requirements into 18 common controls,
known as program apps. As new frameworks are added to the Apptega platform, they will be
mapped against the Harmony database and added to core product to ensure users are able to
map existing programs against new regulatory requirements and changes in the security
environment. Below are the 18 program apps, with the number of common sub-controls in
parentheses. The number of sub-controls will likely change as new frameworks are added to
the platform.
• Application Security (37) • Asset Management (53)
• Border Security (51) • Business Continuity (34)
• Configuration & Change Management (50) • Data Security (55)
• Endpoint Security (31) • HR Security & Training (35)
• Identity & Access Management (67) • Incident Response (34)
• Key Management & Cryptography (17) • Logging & Monitoring (61)
• Physical Security (39) • Risk Management (44)
• Security Governance (95) • Vendor Management (37)
• Vulnerability Management (19) • Wireless & Remote Administration (21)
The numbers above represent all frameworks, however the actual number of controls and
subcontrols in a mapped program will be dependent on the specific frameworks selected by the
user. For example, a mapped program containing PCI and SOC 2 will have a different number of
controls and sub-controls than a mapped program containing NIST 800-171 and NIST 800-53.
-
Apptega Inc. • 75 5th Street • Suite 2180 • Atlanta, GA 30308 888-221-3911 • [email protected]
Confidential pg. 4
Which Security Frameworks Are Included?
Here are the the security frameworks included in the Harmony release with the associated
subcontrols in parenthesis below:
• NIST CSF 1.1 (98) • ISO 27001 (114) • PCI DSS v3.2 (250)
• CIS v7 (171) • NIST 800-171 (110) • SANS Top20 (149)
• GDPR (111) • NIST 800-53 (205) • SEC (34)
• HIPAA (71) • NYDFS 500 (46) • SOC2 (61)
What is Not Included?
In version 1.0 of Intelligent Framework Mapping, users will not be able to map custom
frameworks to existing frameworks, nor will they be able to map a custom App to other Apps.
We will be adding this capability in a future release.
How to Create a Mapped Program
Note: To avoid the possibility of losing any program data or impacting the user’s current environment, it
is highly recommended that users read this document in its entirety or schedule a walkthrough with the
Apptega team before initiating a mapped program. It is also recommended that existing users generate
a board report and full program report in Excel for each framework they wish to include in the mapping
for future reference in the event any data is lost.
1. To create a mapped framework, navigate to the
Design page of Apptega by
selecting the blue “Design” tile
on your homepage. As an
alternative, you can also select
the “Design” tab in the Quick
Links menu to the left.
2. On the design page, hover over the green “+” icon next to the framework selector. Upon hovering, you’ll see
a popup that summarizes framework mapping with a link
to the supporting documentation.
-
Apptega Inc. • 75 5th Street • Suite 2180 • Atlanta, GA 30308 888-221-3911 • [email protected]
Confidential pg. 5
3. Select the Frameworks
you’d like to
map and name the custom framework. You must select
at least two frameworks and name the program in order
to save.
Note:
• Custom Frameworks cannot be mapped.
• Custom Program Apps cannot be mapped.
• Custom Program Apps will not be available in a mapped
program if added prior to mapping frameworks
together.
Custom Program Apps can, however, be added to a
Program after the mapping is complete. To add a
Custom Program App to a Mapped Program, navigate to
the “Design” page and select the Mapped Program from
the Framework Drop-down. Next, select the “Add App”
tile and input the required fields. Upon saving your changes the Custom Program App
will appear in the mapped program.
4. The Framework Mapping Engine will read the database and create a mapped program for you.
-
Apptega Inc. • 75 5th Street • Suite 2180 • Atlanta, GA 30308 888-221-3911 • [email protected]
Confidential pg. 6
Note: Please do not refresh the screen during the mapping process. Refreshing the screen during the
mapping process will result in a partially mapped program.
What Happens to my Existing Data When I Create a Mapped Program?
There are two very important concepts to understand before you map multiple frameworks
together: Dominant Sub-Controls and Data Replication. These concepts are summarized below:
Dominant Sub-Controls If data exists in more than one framework being mapped, the system will determine a
‘dominant sub-control’ (the sub-control with the higher score). During the mapping process the
software will select all data associated with the dominant sub-control and replicates it across
the mapped program and standalone frameworks. To fully understand what a dominant sub-
control is, consider two scenarios:
Scenario 1: Mapping a Populated Framework with an Unpopulated Framework
You are currently managing your security program in the SANS20 framework, which has
documents, assignments, tasks, scores, and other data already populated. You then want to
map that framework with PCI, a framework that you have not touched (no data residing in the
PCI framework). You perform the aforementioned steps, and a mapped program is created. As
part of this process, the SANS20 sub-controls will be mapped to the corresponding PCI sub-
controls and all data associated with the SANS20 framework will be automatically migrated into
the mapped program.
Scenario 2: Mapping a Populated Framework with a Populated Framework
You are currently managing your security program using two standalone frameworks (SANS20
and PCI), both of which have documents, assignments, tasks, scores and other data already
populated. You then want to map the two frameworks together to create a mapped program.
What happens to the data?
When you initiate the mapping process, the software will first pair all common sub-controls
together. Then, it will determine which sub-control has the higher score and assign it as the
‘dominant control’.
For example, SANS sub-control 18.6 and PCI sub-control 6.4.1 both require separation of
production and non-production environments and are therefore paired together as one
‘common sub-control’ called ‘Separation of Production and Nonproduction Environments’. If
the SANS sub-control is scored at 50% and the PCI sub-control is scored at 80%, then the PCI
sub-control becomes the ‘dominant sub-control’. Finally, the software will select all data
associated with the dominant sub-control and replicate that data across the SANS 18.6 sub-
control and the common sub-control in the mapped program – essentially, the PCI sub-control
-
Apptega Inc. • 75 5th Street • Suite 2180 • Atlanta, GA 30308 888-221-3911 • [email protected]
Confidential pg. 7
‘wins’ and that data will persist in the system. The data that was in the SANS sub-control will be
deleted.
Key Takeaway from Dominant Sub-Controls:
If your security program falls into scenario 1 above, then there is no concern to your data – you
are mapping a populated framework to an unpopulated framework. If, however, you are
mapping two populated frameworks together, you must be aware that you will likely lose some
of your data. The reason for this is because, if the two sub-controls are similar enough to be
paired as a common sub-control, then they should have the same owner(s), tasks, evidence,
artifacts, and attachments. Now that we’ve highlighted Dominant Sub-Controls, let’s explore
Data Replication.
Data Replication When you create a mapped program, any data that is updated in the mapped program will
automatically be replicated to the ‘paired’ sub-controls. Let’s consider the same example
mentioned in the Dominant Sub-Controls section above. After mapping these two frameworks,
the user will start updating the data in the mapped program for the new common sub-control
called ‘Separation of Production and Non-Production Environments’, as seen in the following
screenshot:
-
Apptega Inc. • 75 5th Street • Suite 2180 • Atlanta, GA 30308 888-221-3911 • [email protected]
Confidential pg. 8
After saving the data
here, if the user navigates
back to the individual
SANS20 sub-control or PCI
sub-control, the data will
be replicated there
automatically. Similarly, if
I update the data in the
individual SANS20 or PCI
sub-control, it will be
replicated to the common
sub-control in the
mapped program.
Key Takeaway from Data Replication:
When you map two frameworks together, the sub-controls are ‘coupled’ and any change to one
will automatically be replicated to all paired sub-controls. This includes scoring, tasks,
assignments, notes, dates, vendors, etc. It is recommended that users consider the impact of
both dominant sub-controls and data replication before mapping frameworks together to avoid
losing data or negatively affecting the current environment.
-
Apptega Inc. • 75 5th Street • Suite 2180 • Atlanta, GA 30308 888-221-3911 • [email protected]
Confidential pg. 9
Navigating the User Interface
Once the mapping process is
complete each Program App will be
labeled based on the associated
framework(s) on the “Design”
page. Please see an example below
of a Mapped Program between PCI
and SANS20.
In the example to the left the Risk
Management Program App maps
to both the PCI and SANS20
Framework whereas the Security
Governance Program App maps to
PCI.
After creating a mapped
program, users will navigate to
the “Implement” page where
they will manage the associated
Program Apps and Sub-controls.
Like the “Design” page, the
Program Apps in a Mapped
Program will be labeled based on
the associated framework(s).
Please see an example to the left.
-
Apptega Inc. • 75 5th Street • Suite 2180 • Atlanta, GA 30308 888-221-3911 • [email protected]
Confidential pg. 10
When navigating to each
Program App landing page users
will notice the following:
• A description for the
Program App
• A label for each subcontrol
detailing the associated
frameworks
• Overview,
Action items,
and a list of
related
documents
provided for
each mapped
sub-control
-
Apptega Inc. • 75 5th Street • Suite 2180 • Atlanta, GA 30308 888-221-3911 • [email protected]
Confidential pg. 11
• Users can hover over the blue framework name for each common sub-
control to see the specific language from the sub-controls that have been
mapped together. Please see the example below that shows the PCI sub-
controls included in this mapped sub-control for Incident Response:
How to Generate a Report
After creating a mapped program user will have the option to report on each individual
framework or collectively as a mapped program.
1. To generate a report, navigate to the “Dashboards & Reports” page of Apptega by selecting the blue “Dashboards & Reports” tile on your homepage. As an alternative, you can also
select the “Dashboards & Reports” tab in the Quick Links menu to the left.
-
Apptega Inc. • 75 5th Street • Suite 2180 • Atlanta, GA 30308 888-221-3911 • [email protected]
Confidential pg. 12
2. Select the mapped program or individual framework you’d like to generate a report for from the framework drop-down in the upper left of the page
3. Next, scroll to the bottom of the page where you will see the “Program Reports” section. Select the green
“New Report”
button to create a
new report.
4. Upon selecting the “New Report” button you will be presented with several report
types to choose from:
• Full program report in Microsoft Excel
• Full program report in Microsoft Word
• Board Report in Microsoft PowerPoint
• Custom Report
Choose the desired report type and select
“Create Report”
Note: When creating a custom report, you must name your report and select the sections you wish to
include in order to create a report.
5. The generated report will then appear under the “Program
Reports” section of the
“Dashboard & Reports” page
with a “pending” status until it is
available for download.
To edit the report, please
select the pencil icon.
To delete the report, please
select the trash icon.
OR
-
Apptega Inc. • 75 5th Street • Suite 2180 • Atlanta, GA 30308 888-221-3911 • [email protected]
Confidential pg. 13
How to Uncouple a Mapped Program
Apptega provides the ability to remove a mapped program which will uncouple the sub-
controls. This process ends data replication – any updates made in one framework will no
longer replicate to the other frameworks that were a part of the mapped program. However,
the data will persist, or continue to exist in each individual framework that was included in the
initial mapping after the mapped program is removed.
For example, if you use Harmony to map PCI and SANS20 and later decide to uncouple the
mapped program to manage the two frameworks separately, any of the previously populated
data will remain in both the PCI and SANS20 frameworks after the mapped program is
removed. Any updates made to these frameworks after uncoupling will only be reflected in the
standalone framework in which the change was made (i.e. – any update made to PCI will only
be reflected within the PCI framework).
Please find the steps below to uncouple a mapped program:
1. To remove a mapped framework, select the “Manage Frameworks” option in the dropdown menu.
2. Next, choose the program you wish to uncouple and select the red “uncouple” icon to the right of the program name.
3. A popup will then appear. Select the checkbox and press the green “Confirm” button to confirm the
deletion. The program will then be removed from the
“Manage Frameworks” section of the application and
the framework drop-down menu on the “Design”
page.
Note: All data that was uploaded will continue to exist in
the associated frameworks.
-
Apptega Inc. • 75 5th Street • Suite 2180 • Atlanta, GA 30308 888-221-3911 • [email protected]
Confidential pg. 14
How to Add a Framework to a Mapped Program
If a mapped program has been created and you’d like to add another framework, you can do so
by creating a new mapped program and removing the old one. All data will automatically be
replicated to the new program.
1. On the design page, select the green “+” icon next to the framework selector.
2. Select the frameworks that are currently in your mapped program and the additional framework(s)
you would like to add. Name the mapped program
and select “Save”.
3. Navigate to the “Manage Frameworks” page from the dropdown menu and select the “uncouple” icon for the old mapped program. In the popup, select “Yes, I understand.
Delete this mapped framework.” And then select “Confirm”. The old mapped program
will be removed, however the frameworks will still be coupled in the new mapped
program created in the previous step.
-
Apptega Inc. • 75 5th Street • Suite 2180 • Atlanta, GA 30308 888-221-3911 • [email protected]
Confidential pg. 15
Glossary
Mapped Program - A mapped program is a collection of two or more frameworks that have been mapped together using the Intelligent Framework Mapping feature.
Data Replication - When frameworks are mapped together, the sub-controls are ‘coupled’ and any change to one is automatically replicated to all paired sub-controls in both the mapped
program and the standalone frameworks. This includes scoring, tasks, assignments, notes,
dates, vendors, etc.
Dominant Sub-control - If data exists in more than one framework being mapped, the system will determine a ‘dominant sub-control’ (the sub-control with the higher score). During the
mapping process the software will select all data associated with the dominant sub-control and
replicates it across the mapped program and standalone frameworks.
Uncouple a Mapped Program - Users can remove a mapped program, which will uncouple the sub-controls. When a mapped program is removed, updates in one framework will no
longer replicate to other frameworks that were a part of the mapped program.
Data Persistence - If a mapped program is uncoupled, the data will persist, or continue to exist in each individual framework that was included in the initial mapping. For example, if you map
SOC2 and PCI together and then decide to uncouple the program, all data will continue to exist
in the standalone frameworks after the mapped program is removed.
Disclaimer
Mappings between supported frameworks are intended to be an informative reference and do not imply or
guarantee compliance with any laws, regulations, or best practices published by other organizations. Users who
have aligned their security program to any Cybersecurity Framework should not assume that by so doing they are
in full compliance. Users should still rely on certified auditors or consultants to validate they are meeting any
regulatory requirements.
Intelligent Framework Mapping is not a one-size-fits-all approach to managing cybersecurity risk. Organizations will
continue to have unique risks and different procedures that govern the security program. Due to data replication
in Mapped Programs, Framework Mapping may not be the best approach for organizations that would like to
manage multiple frameworks separately and in isolation.
Framework Mapping was designed to make the assessment process more efficient and provide a solution to easily
view common sub-controls across multiple frameworks. However, it is imperative that users understand the
concepts of Data Replication and Dominant Sub-controls, as this may impact the environment and lead to loss of
data in the event multiple frameworks are mapped together that each contain different data. Apptega is not
responsible for any loss of data during the mapping process, however we are happy to setup a one-on-one
consultation with customers to provide guidance and support before creating a mapped program.