Control Mappings for Mandate Based Reporting

Shekhar Rana

Mandate Based Reports allow you to view the compliance posture of an organization in terms of the underlying security baseline against selected mandates.

Qualys has introduced new control mappings, where each control is mapped to granular control objectives. This approach enhances the functionality of Mandate Based Reporting and helps you better understand your organization’s compliance against respective mandates.

In the older approach, each control was mapped to multiple control objectives, which allowed controls to appear in multiple control objectives in the mandate-based reports. The challenges with this approach were that the mandate reports were time-consuming, large, and confusing for organizations to understand their compliance against the respective mandates. In the new approach, each control is mapped to the most appropriate control objective.

Benefits:

  • Qualys controls appear in the most appropriate control objective.
  • Provides a better understanding of the compliance posture against the specified mandate.
  • Ensures comparatively smaller and simple mandate-based reports.

What are the changes that I will notice in my mandate-based reports?

  • Granular mappings listed for controls when you drill down into report details.
  • Fewer controls listed in reports as we’ve taken an approach to show the most accurate mappings.
  • Changes to control objectives. This may be especially noticeable when your report is grouped by control objectives for a harmonized report with multiple mandates included.

What will the mandate-based reports look like?

Below is an example that exhibits the difference between the older and the newer mandate reports.

Policy Compliance

Old Report: – In the old report, Control IDs: 2182 appears in multiple framework controls, i.e. AC-1, AC-6(10) and IA-2.

New Report: – In the new report, Control IDs: 2182 appears in only single framework controls, i.e. IAC-21.5.

CloudView

Old Report: – In the old report, Control ID: 44 appears in multiple framework controls, i.e. SC-7(5), CM-7.

New Report:- In the new report, Control IDs: 44 appears in only single framework controls, i.e. NET-04.1.

Does this mean Qualys controls will be listed only once in the reports?

No, this does not necessarily mean that Qualys control will be included only once in the reports. There is a possibility of scenarios, wherein control may appear multiple times based on the cross-mappings done against control objective standard.

For example, Control IDs 10027 and 10028 are appearing in multiple sections: 6.2 Activate audit logging, 6.5 Central Log Management, 6.8 Regularly Tune SIEM.

It is because the CIS control sections 6.2, 6.5 and 6.8 are cross-mapped to the Control Objective MON – 01.8 Reviews & Updates, because of which controls are listed multiple times.

Extending mandate coverage

Qualys Policy Compliance is extending mandate coverage by introducing new mandates and upgrading versions of the existing ones.

Introduction on New Mandates

Sr. No.Mandate NameVersion
1NIST 800-53 (Special Publication)Rev 5
2Essential Cybersecurity ControlsECC – 1 : 2018
3European Union Agency for Network and Information Securityv2.0
4Control Objectives for Information and Related Technologies (COBIT)2019
5CERT® Resilience Management Modelv1.2
6Risk Management in Technology (RMiT)19 June 2020
7Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7008-7012252.204-7008
8Federal Acquisition Regulation (FAR)52.204-21
9Technology Risk Management (TRM) GuidelinesJanuary 2021
10US Food & Drug Administration (FDA)21 CFR Part 11
11Cybersecurity Maturity Model Certification (CMMC)v1.02 (18 March 2020)

Mandates with version upgrades

Sr. No.Mandate NameCurrent VersionNew Version
1NIST Special Publication 800-171Ver 1.0Rev. 2
2The Australian Signals Directorate – The Essential 8 Strategies (ASD 8)February 2017June 2020
3Criminal Justice Information Services (CJIS) Security PolicyVer. 5.8Ver. 5.9
4Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1Ver 3.2Ver. 3.2.1
5SWIFT Customer Security Controls Framework – Customer Security Programme v2019Ver. 1.0Ver. 2019
6Federal Risk and Authorization Management Program (FedRAMP H) – High-Security BaselineVer. 1.0Rev. 4
7Federal Risk and Authorization Management Program (FedRAMP M) – Moderate Security BaselineVer. 1.0Rev. 4

Conclusion

Granular control mapping to appropriate control objectives enhances the functionality of mandate-based reports and allows organizations to better understand their compliance against respective mandates.

Resources

Contributors

  • Aparna Hinge, Senior Manager, Compliance Research Analysis, Qualys
  • Anu Kapil, Technical Product Manager, Compliance Solutions, Qualys
  • Yash Jhunjhunwala, Security Analyst, Cloud Security Compliance, Qualys
  • Jayesh Rajan, Manager, Compliance Analysis, Qualys
Share your Comments

Comments

Your email address will not be published. Required fields are marked *