From the federal government to the commercial sector, all highly regulated organizations are susceptible to audit fatigue; and providing the evidence that shows your organization meets multiple federal, industry, or organizational information security standards can be one of the major factors that lead there.
The solution of utilizing control mapping was addressed in our recent audit fatigue webinar by my colleague, Steve Horvath: “We believe we’ve seen a tremendous amount of success from customers that take a base regulatory standard (like the NIST 800-37) and they leverage the control set, 800-53 (for instance rev.4), and map it against these other standards. That gives them the ability to test once, comply with many.”
So where does one start when it comes to mapping controls across various regulations? Steve suggests starting with a comprehensive and robust base regulation like NIST 800-53, which has the ability to scale according to your organization’s security needs and risk profile. Once the baseline set of controls have been determined and tailored, you can begin to map them (based on their intent) to the additional standards required for your organization.
For instance, take the AC-2 control from NIST 800-53, which governs account management in an information system. Account management is a fairly common subject area addressed in most information security controls. It can be mapped to other account management controls with the same requirements from ISO, PCI-DSS, and HIPAA. The results of the 800-53A test procedures used to validate the AC-2 control could then be applied to the mapped requirements your organization must also meet.
The process of creating the initial mapping may require some up-front work, but it will save significant time and effort in the long run – especially when audit time rolls around. To assist with the mapping process, you can use various resources available online. Many of the regulatory authorities’ websites will have mapping data available. Several of these organizations proactively map their controls to the NIST Cybersecurity Framework (CSF) and NIST SP 800-53.
Solutions like Xacta can help to fully streamline and automate this process for most common standards (click here for a list of compliance standards we currently support), additional standards can be added if required. Even organizational-specific content can be mapped to other controls within the application.
Our content teams at Telos have already gone through the effort of mapping and linking regulatory content and test procedures that can be used in assessment and authorization (A&A) efforts, allowing you to generate a test plan that can be executed once in order to show compliance to multiple standards.
In addition to Xacta’s powerful mapping capability, Xacta also allows you to implement control periodicity in the continuous monitoring phase of your ITRM program. Control periodicity allows you to automatically re-validate your controls at predefined time intervals. This feature can be used to address the long-term impact of audit fatigue.
If your organization is struggling with audit fatigue, I encourage you to watch the on-demand webinar, “Combatting Audit Fatigue in IT Risk Management,” where the concept of control mapping and other solutions are addressed by Steve Horvath, Vice President of Strategy and Cloud, and A.J. Turcot, Enterprise Account Executive at Telos Corporation.