HARMONY: INTELLIGENT FRAMEWORK MAPPING - Intelligent...HARMONY: INTELLIGENT FRAMEWORK MAPPING Helping organizations manage multiple cybersecurity frameworks as one mapped program March

Confidential

HARMONY: INTELLIGENT

FRAMEWORK MAPPING

Helping organizations manage

multiple cybersecurity frameworks

as one mapped program

March 31, 2019

Apptega Inc. • 75 5th Street • Suite 2180 • Atlanta, GA 30308 888-221-3911 • [email protected]

Confidential pg. 2

Version Date Last Updated Featured Changes 1.0 3/31/2019 Initial version of framework

mapping

Contents Harmony Overview ...................................................................................................................................... 3

Mapping Methodology ................................................................................................................................. 3

Which Security Frameworks Are Included? .................................................................................................. 4

What is Not Included? ................................................................................................................................... 4

How to Create a Mapped Program ............................................................................................................... 4

What Happens to my Existing Data When I Create a Mapped Program? .................................................... 6

Dominant Sub-Controls ............................................................................................................................. 6

Data Replication ........................................................................................................................................ 7

Navigating the User Interface ....................................................................................................................... 9

How to Generate a Report .......................................................................................................................... 11

How to Uncouple a Mapped Program ........................................................................................................ 13

How to Add a Framework to a Mapped Program ....................................................................................... 14

Glossary ....................................................................................................................................................... 15

Disclaimer.................................................................................................................................................... 15


Confidential pg. 3

Harmony Overview

Organizations often use multiple frameworks to guide their cybersecurity strategy. At Apptega we understand managing several frameworks simultaneously can be very duplicative and inefficient. Released in the Spring of 2019, Harmony enables our customers to manage multiple frameworks as one mapped program. Harmony provides an easy and efficient way for organizations to comprehensively manage security and compliance by consolidating thousands of sub-controls from Apptega's entire library of frameworks into a unified set of common controls and sub-controls - translating to over 50% efficiencies in time, effort, and resources.

Mapping Methodology

The Apptega team carefully analyzed the controls and sub-controls across all supported

frameworks and paired them as common controls and sub-controls using industry guidance,

best practices, and certified security and compliance experts. The resulting database is a

consolidation of thousands of control and sub-control requirements into 18 common controls,

known as program apps. As new frameworks are added to the Apptega platform, they will be

mapped against the Harmony database and added to core product to ensure users are able to

map existing programs against new regulatory requirements and changes in the security

environment. Below are the 18 program apps, with the number of common sub-controls in

parentheses. The number of sub-controls will likely change as new frameworks are added to

the platform.

• Application Security (37) • Asset Management (53)

• Border Security (51) • Business Continuity (34)

• Configuration & Change Management (50) • Data Security (55)

• Endpoint Security (31) • HR Security & Training (35)

• Identity & Access Management (67) • Incident Response (34)

• Key Management & Cryptography (17) • Logging & Monitoring (61)

• Physical Security (39) • Risk Management (44)

• Security Governance (95) • Vendor Management (37)

• Vulnerability Management (19) • Wireless & Remote Administration (21)

The numbers above represent all frameworks, however the actual number of controls and

subcontrols in a mapped program will be dependent on the specific frameworks selected by the

user. For example, a mapped program containing PCI and SOC 2 will have a different number of

controls and sub-controls than a mapped program containing NIST 800-171 and NIST 800-53.


Confidential pg. 4

Which Security Frameworks Are Included?

Here are the the security frameworks included in the Harmony release with the associated

subcontrols in parenthesis below:

• NIST CSF 1.1 (98) • ISO 27001 (114) • PCI DSS v3.2 (250)

• CIS v7 (171) • NIST 800-171 (110) • SANS Top20 (149)

• GDPR (111) • NIST 800-53 (205) • SEC (34)

• HIPAA (71) • NYDFS 500 (46) • SOC2 (61)

What is Not Included?

In version 1.0 of Intelligent Framework Mapping, users will not be able to map custom

frameworks to existing frameworks, nor will they be able to map a custom App to other Apps.

We will be adding this capability in a future release.

How to Create a Mapped Program

Note: To avoid the possibility of losing any program data or impacting the user’s current environment, it

is highly recommended that users read this document in its entirety or schedule a walkthrough with the

Apptega team before initiating a mapped program. It is also recommended that existing users generate

a board report and full program report in Excel for each framework they wish to include in the mapping

for future reference in the event any data is lost.

1. To create a mapped framework, navigate to the

Design page of Apptega by

selecting the blue “Design” tile

on your homepage. As an

alternative, you can also select

the “Design” tab in the Quick

Links menu to the left.

2. On the design page, hover over the green “+” icon next to the framework selector. Upon hovering, you’ll see

a popup that summarizes framework mapping with a link

to the supporting documentation.


Confidential pg. 5

3. Select the Frameworks

you’d like to

map and name the custom framework. You must select

at least two frameworks and name the program in order

to save.

Note:

• Custom Frameworks cannot be mapped.

• Custom Program Apps cannot be mapped.

• Custom Program Apps will not be available in a mapped

program if added prior to mapping frameworks

together.

Custom Program Apps can, however, be added to a

Program after the mapping is complete. To add a

Custom Program App to a Mapped Program, navigate to

the “Design” page and select the Mapped Program from

the Framework Drop-down. Next, select the “Add App”

tile and input the required fields. Upon saving your changes the Custom Program App

will appear in the mapped program.

4. The Framework Mapping Engine will read the database and create a mapped program for you.


Confidential pg. 6

Note: Please do not refresh the screen during the mapping process. Refreshing the screen during the

mapping process will result in a partially mapped program.

What Happens to my Existing Data When I Create a Mapped Program?

There are two very important concepts to understand before you map multiple frameworks

together: Dominant Sub-Controls and Data Replication. These concepts are summarized below:

Dominant Sub-Controls If data exists in more than one framework being mapped, the system will determine a

‘dominant sub-control’ (the sub-control with the higher score). During the mapping process the

software will select all data associated with the dominant sub-control and replicates it across

the mapped program and standalone frameworks. To fully understand what a dominant sub-

control is, consider two scenarios:

Scenario 1: Mapping a Populated Framework with an Unpopulated Framework

You are currently managing your security program in the SANS20 framework, which has

documents, assignments, tasks, scores, and other data already populated. You then want to

map that framework with PCI, a framework that you have not touched (no data residing in the

PCI framework). You perform the aforementioned steps, and a mapped program is created. As

part of this process, the SANS20 sub-controls will be mapped to the corresponding PCI sub-

controls and all data associated with the SANS20 framework will be automatically migrated into

the mapped program.

Scenario 2: Mapping a Populated Framework with a Populated Framework

You are currently managing your security program using two standalone frameworks (SANS20

and PCI), both of which have documents, assignments, tasks, scores and other data already

populated. You then want to map the two frameworks together to create a mapped program.

What happens to the data?

When you initiate the mapping process, the software will first pair all common sub-controls

together. Then, it will determine which sub-control has the higher score and assign it as the

‘dominant control’.

For example, SANS sub-control 18.6 and PCI sub-control 6.4.1 both require separation of

production and non-production environments and are therefore paired together as one

‘common sub-control’ called ‘Separation of Production and Nonproduction Environments’. If

the SANS sub-control is scored at 50% and the PCI sub-control is scored at 80%, then the PCI

sub-control becomes the ‘dominant sub-control’. Finally, the software will select all data

associated with the dominant sub-control and replicate that data across the SANS 18.6 sub-

control and the common sub-control in the mapped program – essentially, the PCI sub-control


Confidential pg. 7

‘wins’ and that data will persist in the system. The data that was in the SANS sub-control will be

deleted.

Key Takeaway from Dominant Sub-Controls:

If your security program falls into scenario 1 above, then there is no concern to your data – you

are mapping a populated framework to an unpopulated framework. If, however, you are

mapping two populated frameworks together, you must be aware that you will likely lose some

of your data. The reason for this is because, if the two sub-controls are similar enough to be

paired as a common sub-control, then they should have the same owner(s), tasks, evidence,

artifacts, and attachments. Now that we’ve highlighted Dominant Sub-Controls, let’s explore

Data Replication.

Data Replication When you create a mapped program, any data that is updated in the mapped program will

automatically be replicated to the ‘paired’ sub-controls. Let’s consider the same example

mentioned in the Dominant Sub-Controls section above. After mapping these two frameworks,

the user will start updating the data in the mapped program for the new common sub-control

called ‘Separation of Production and Non-Production Environments’, as seen in the following

screenshot:


Confidential pg. 8

After saving the data

here, if the user navigates

back to the individual

SANS20 sub-control or PCI

sub-control, the data will

be replicated there

automatically. Similarly, if

I update the data in the

individual SANS20 or PCI

sub-control, it will be

replicated to the common

sub-control in the

mapped program.

Key Takeaway from Data Replication:

When you map two frameworks together, the sub-controls are ‘coupled’ and any change to one

will automatically be replicated to all paired sub-controls. This includes scoring, tasks,

assignments, notes, dates, vendors, etc. It is recommended that users consider the impact of

both dominant sub-controls and data replication before mapping frameworks together to avoid

losing data or negatively affecting the current environment.


Confidential pg. 9

Navigating the User Interface

Once the mapping process is

complete each Program App will be

labeled based on the associated

framework(s) on the “Design”

page. Please see an example below

of a Mapped Program between PCI

and SANS20.

In the example to the left the Risk

Management Program App maps

to both the PCI and SANS20

Framework whereas the Security

Governance Program App maps to

PCI.

After creating a mapped

program, users will navigate to

the “Implement” page where

they will manage the associated

Program Apps and Sub-controls.

Like the “Design” page, the

Program Apps in a Mapped

Program will be labeled based on

the associated framework(s).

Please see an example to the left.


Confidential pg. 10

When navigating to each

Program App landing page users

will notice the following:

• A description for the

Program App

• A label for each subcontrol

detailing the associated

frameworks

• Overview,

Action items,

and a list of

related

documents

provided for

each mapped

sub-control


Confidential pg. 11

• Users can hover over the blue framework name for each common sub-

control to see the specific language from the sub-controls that have been

mapped together. Please see the example below that shows the PCI sub-

controls included in this mapped sub-control for Incident Response:

How to Generate a Report

After creating a mapped program user will have the option to report on each individual

framework or collectively as a mapped program.

1. To generate a report, navigate to the “Dashboards & Reports” page of Apptega by selecting the blue “Dashboards & Reports” tile on your homepage. As an alternative, you can also

select the “Dashboards & Reports” tab in the Quick Links menu to the left.


Confidential pg. 12

2. Select the mapped program or individual framework you’d like to generate a report for from the framework drop-down in the upper left of the page

3. Next, scroll to the bottom of the page where you will see the “Program Reports” section. Select the green

“New Report”

button to create a

new report.

4. Upon selecting the “New Report” button you will be presented with several report

types to choose from:

• Full program report in Microsoft Excel

• Full program report in Microsoft Word

• Board Report in Microsoft PowerPoint

• Custom Report

Choose the desired report type and select

“Create Report”

Note: When creating a custom report, you must name your report and select the sections you wish to

include in order to create a report.

5. The generated report will then appear under the “Program

Reports” section of the

“Dashboard & Reports” page

with a “pending” status until it is

available for download.

To edit the report, please

select the pencil icon.

To delete the report, please

select the trash icon.

OR


Confidential pg. 13

How to Uncouple a Mapped Program

Apptega provides the ability to remove a mapped program which will uncouple the sub-

controls. This process ends data replication – any updates made in one framework will no

longer replicate to the other frameworks that were a part of the mapped program. However,

the data will persist, or continue to exist in each individual framework that was included in the

initial mapping after the mapped program is removed.

For example, if you use Harmony to map PCI and SANS20 and later decide to uncouple the

mapped program to manage the two frameworks separately, any of the previously populated

data will remain in both the PCI and SANS20 frameworks after the mapped program is

removed. Any updates made to these frameworks after uncoupling will only be reflected in the

standalone framework in which the change was made (i.e. – any update made to PCI will only

be reflected within the PCI framework).

Please find the steps below to uncouple a mapped program:

1. To remove a mapped framework, select the “Manage Frameworks” option in the dropdown menu.

2. Next, choose the program you wish to uncouple and select the red “uncouple” icon to the right of the program name.

3. A popup will then appear. Select the checkbox and press the green “Confirm” button to confirm the

deletion. The program will then be removed from the

“Manage Frameworks” section of the application and

the framework drop-down menu on the “Design”

page.

Note: All data that was uploaded will continue to exist in

the associated frameworks.


Confidential pg. 14

How to Add a Framework to a Mapped Program

If a mapped program has been created and you’d like to add another framework, you can do so

by creating a new mapped program and removing the old one. All data will automatically be

replicated to the new program.

1. On the design page, select the green “+” icon next to the framework selector.

2. Select the frameworks that are currently in your mapped program and the additional framework(s)

you would like to add. Name the mapped program

and select “Save”.

3. Navigate to the “Manage Frameworks” page from the dropdown menu and select the “uncouple” icon for the old mapped program. In the popup, select “Yes, I understand.

Delete this mapped framework.” And then select “Confirm”. The old mapped program

will be removed, however the frameworks will still be coupled in the new mapped

program created in the previous step.


Confidential pg. 15

Glossary

Mapped Program - A mapped program is a collection of two or more frameworks that have been mapped together using the Intelligent Framework Mapping feature.

Data Replication - When frameworks are mapped together, the sub-controls are ‘coupled’ and any change to one is automatically replicated to all paired sub-controls in both the mapped

program and the standalone frameworks. This includes scoring, tasks, assignments, notes,

dates, vendors, etc.

Dominant Sub-control - If data exists in more than one framework being mapped, the system will determine a ‘dominant sub-control’ (the sub-control with the higher score). During the

mapping process the software will select all data associated with the dominant sub-control and

replicates it across the mapped program and standalone frameworks.

Uncouple a Mapped Program - Users can remove a mapped program, which will uncouple the sub-controls. When a mapped program is removed, updates in one framework will no

longer replicate to other frameworks that were a part of the mapped program.

Data Persistence - If a mapped program is uncoupled, the data will persist, or continue to exist in each individual framework that was included in the initial mapping. For example, if you map

SOC2 and PCI together and then decide to uncouple the program, all data will continue to exist

in the standalone frameworks after the mapped program is removed.

Disclaimer

Mappings between supported frameworks are intended to be an informative reference and do not imply or

guarantee compliance with any laws, regulations, or best practices published by other organizations. Users who

have aligned their security program to any Cybersecurity Framework should not assume that by so doing they are

in full compliance. Users should still rely on certified auditors or consultants to validate they are meeting any

regulatory requirements.

Intelligent Framework Mapping is not a one-size-fits-all approach to managing cybersecurity risk. Organizations will

continue to have unique risks and different procedures that govern the security program. Due to data replication

in Mapped Programs, Framework Mapping may not be the best approach for organizations that would like to

manage multiple frameworks separately and in isolation.

Framework Mapping was designed to make the assessment process more efficient and provide a solution to easily

view common sub-controls across multiple frameworks. However, it is imperative that users understand the

concepts of Data Replication and Dominant Sub-controls, as this may impact the environment and lead to loss of

data in the event multiple frameworks are mapped together that each contain different data. Apptega is not

responsible for any loss of data during the mapping process, however we are happy to setup a one-on-one

consultation with customers to provide guidance and support before creating a mapped program.

Documents

HARMONY: INTELLIGENT FRAMEWORK MAPPING - Intelligent...HARMONY: INTELLIGENT FRAMEWORK MAPPING Helping organizations manage multiple cybersecurity frameworks as one mapped program March