For organizations operating on cloud platforms such as AWS, GCP, and Azure, dealing with compliance mappings to security controls can be a tedious task. Our service aims to alleviate this burden, allowing your team to focus on core developments while we take care of the compliance mapping.
We cater to security companies employing various products such as:
CNAPP, (Cloud Native Application Protection Platform),
CSPM, (Cloud Security Posture Management),
CWPP, (Cloud Workload Protection Platform),
DSPM, (Data Security and Privacy Management),
CIEM, (Cloud Infrastructure Entitlement Management),
Attack Path Analysis,
SBOM, (Software Bill of Materials),
CDR, (Content Disarm and Reconstruction),
Shift Left Security, (a security approach emphasizing early security integration in the development process),
Cloud Asset Inventory.
By leveraging our service, you can free up your resources and ensure a meticulous compliance mapping process in line with best industry practices.
Table of Contents
- 1. Receive a List of Your Security Rules
- 2. Specify Your Preferred Standard Framework
- 3. Analysis and Quotation
- 4. Our Team Begins Work
- 5. Deliverables
- 6. Invoice Submission
1. Receive a List of Your Security Rules
The first step in our process is the acquisition of your security rules. These rules, checks, or conditions have been created by you for your specific environment. You can deliver them to us in a variety of formats such as a JSON or CSV file. Below is an example of how the rules might be formatted in a CSV file named Rules-V1.csv:
| Rule_Code | Title |
|---|---|
| RULE-1 | Ensure that multi-factor authentication is enabled for your users |
| RULE-2 | Ensure guest users are reviewed on a monthly basis |
| RULE-3 | Ensure that multi-factor authentication is enabled for all users |
| RULE-4 | Ensure that your S3 bucket data is encrypted |
Please ensure that all the rules are clearly stated with unique Rule_Codes and comprehensive titles.
2. Specify Your Preferred Standard Framework
Once we have received your security rules, you will need to indicate the standard framework to which you want your rules mapped. We provide support for a broad array of globally recognized standards and frameworks, including but not limited to:
- ISO 27001:2022
- CIS Foundation Benchmark for Amazon Web Services
- CIS Foundation Benchmark for Microsoft Azure
- CIS Foundation Benchmark for Google Cloud Platform
- Payment Card Industry Data Security Standard
- NIST Special Publication 800-53
- AWS Web Application Firewall
- ENISA Operational Network Security Guidelines
- CIS Controls
- Control Objectives for Information and Related Technologies (COBIT)
- Monetary Authority of Singapore Technology Risk Management Guidelines
- NIST Cybersecurity Framework
- Financial Information Security Control
- Service Organization Control 2
- Health Insurance Portability and Accountability Act (HIPAA) 45 CFR Part 164
- Payment Card Industry Data Security Standard
- APRA Prudential Standard CPS 234
- General Data Protection Regulation (GDPR)
- HITRUST CSF
- Cloud Security Alliance Consensus Assessments Initiative Questionnaire
- Information Security Manual (ISM)
- Federal Risk and Authorization Management Program (FedRAMP)
- Information Security Management Assessment Process
- Azure Web Application Firewall
- Monetary Authority of Singapore Technology Risk Management Guidelines
Each framework has its own set of unique controls and criteria, and your choice will depend on your business requirements and regulatory landscape.
3. Analysis and Quotation
Once we receive your chosen standard framework and your security rules, we begin the process of analysis. This involves comprehending the depth of your rules and the intricacies of the selected framework. After a thorough analysis, we provide you with a quotation for the mapping job. This quotation takes into account the complexity of the job, the number of rules, and the nuances of the selected standard framework. The job also includes providing support for any changes or updates to your security rules.
4. Our Team Begins Work
Upon agreement on the quotation, our team of experts will start mapping your security rules to the controls specified in the standard framework document. This meticulous process ensures that each of your security rules is appropriately linked to the most relevant control in the chosen framework.
5. Deliverables
The final deliverables of our mapping process include two separate files, tailored to your preferred format. We support a variety of formats including JSON, XML, Excel, and CSV:
a) The standard framework file, which includes the Control_ID, Title, Description, and other specific fields unique to the selected standard framework.
Here is an example:
| “cid” | “title” | “description” |
|---|---|---|
| “A.5.1.1” | “Policies for information security” |
“A set of policies for information security shall be defined, approved by management, published, and communicated to employees and relevant external parties.” |
| “A.5.1.2” | “Review of the policies for information security” |
“The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness.” |
| “A.6.1.1” | “Information security roles and responsibilities” |
“All information security responsibilities shall be defined and allocated.” |
| “A.6.1.2” | “Segregation of duties” | “Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.” |
b) The mapping file, which lists the mapping of the Rule_Code to the Control_ID.
Here is an example:
| rule_code | control_id |
|---|---|
| “A.5.1.1” | “RULE-1, RULE-2” |
| “A.5.1.2” | “N/A” |
| “A.6.1.2” | “RULE-3, RULE-4” |
These files serve as comprehensive documentation of the security rule to control mapping.
6. Invoice Submission
After all the above steps are satisfactorily completed and the deliverables are sent to you, we will submit an invoice for the services rendered. This completes the Security Rules Mapping Process.