Reporting on Implementation of IT Security Controls and Frameworks

We discussed the importance of frameworks. Many IT organizations have adopted the use of different frameworks. An IT shop may deploy controls based on ISO versus NIST versus COBIT. Even within NIST, is it NIST CSF or NIST 800-53? How do we convey our findings in the context of a framework? Fortunately, there is no shortage of framework mapping. For example, NIST.gov (n.d.) has a framework mapping in the format of an Excel spreadsheet.

These mappings, especially in the format of Excel, can be easily modified as assessment checklists. Let’s look at a portion of the NIST Cybersecurity Framework (CSF) spreadsheet previously mentioned as illustrated in Table 7-5.

This spreadsheet can help an auditor in multiple ways. When gaps are identified the findings can be put into context the IT teams can understand. For example, an audit test for completeness and accuracy of an IT inventory can be reported as either a NIST CSF ID.AM-1 failure or a NIST SP 800-53 CM-8 failure.

The audit report would not get into this level of detail in the executive summary. The reporting at this level within the audit findings section may be important to the subject matter expected (SME) within the IT teams.

Another benefit of these types of framework mappings is to ensure an auditor testing is complete and comprehensive. Additionally, columns can be easily added to ensure that all the relevant controls within the audit’s scope are covered. For example, an audit scope to cover access management could forget to include related inventories as required by NIST CSF ID.AM-1. Having such checklists as a method of communicating and verifying scope coverage can be a valuable tool.

In many industries, the NIST CSF is commonly used. The framework is logically structured and designed to help communicate risk across the enterprise. The fact that the NIST CSF is a dominant standard adds significant weight to communication with leadership. These NIST CSF functions are unique categories and subcategories that outline the IT security requirements that must be adhered to. Consequently, regulatory expect evidence of compliance in the organization’s use and handling of data.