Mapping Compliance Controls for the Cloud – FISMA, PCI, NIST and ISO
- by secboxadmin
- in GRC
- posted October 12, 2012
Mapping compliance efforts has been a hot button issue lately, especially in FedRAMP Cloud realm. Becoming FISMA compliant is a huge task. Everyone seems to want to get there; but there are plenty of enterprises that also have to manage multiple compliance efforts such as PCI, HIPAA, and FISMA/FedRAMP (NIST 800-53). This post is the beginning of a road map which is intended to help you achieve multiple regulatory compliance efforts.
There are a handful of frameworks that we investigated to help with this task. The Unified Compliance Framework (UCF) is a great option. The Cloud Security Alliance also offers their own mapping, but the way in which they provide their information is extremely difficult to use.
With that, the compliance section of our blog is born. We will periodically post important authority documents needed to help you through the various compliance efforts. I am also in the progress of creating an access database containing all of the compliance mappings, which I will be giving away when completed. (No, the UCF controls are not included since they are commercial).
To start, the Cloud Audit Controls blog offers some nice excel templates and documents. They are only partially useful since they are not in the most usable format, but over the next few article, I will be providing my own versions, formatted for database import
Both of the above are great initial resources, but even the “database friendly” version didn’t prove to be useful because there are multiple items per row. I had to create my own version. More on that.