Get startedGet started for free

Control mapping

1. Control mapping

After identifying the types of security controls your organization needs, those controls have to be mapped. Mapping controls in the cloud is similar to ensuring the safety features on a product —like a car or an appliance— work. Then, if any features are missing, the organization fills in the gaps. Mapping controls in the cloud ensures that all the necessary controls meet regulatory obligations and secure the cloud. To complete the control mapping process, an organization must identify controls; map required controls to cloud security benchmarks, standards, requirements, regulations, and rules; identify the controls not mapped with cloud security benchmark and respective policies; perform an assessment of platform and service; and implement guardrails with policy initiatives with native or third-party tooling. The first step in control mapping is to identify the controls that already exist in an organization's cloud infrastructure. Then, mapping a set of required controls to the current controls in place. Spreadsheets are often used in control mapping. When using a spreadsheet to map controls, choose appropriate control titles, domain categories, and descriptions to identify related controls. Then, conduct an inventory of all assets, including hardware, software, and data. And then group controls by type of asset. Be sure to align the purpose of each control to the framework that you are using. Note any gaps in the spreadsheet. After mapping, identify the controls that aren’t mapped and assess which ones need to be implemented. During this step, you can also map additional sets of compliance obligations that apply to your organization. Mapping these obligations allows you to determine if there are controls that can be inherited from the prior control mappings that were carried out by your team. Control mapping is a valuable exercise to ensure control coverage across various compliance obligations. Next, it’s time to perform a platform and service level assessment. Once you confirm your controls are fully mapped, gather any needed supporting information. Keep in mind, your organization may have a checklist to complete before the assessment is performed. Once the documents are ready, the IT team or supporting organization will review all provided information in an official platform assessment. This assessment will determine if the set of currently implemented controls meet all security and compliance requirements set by industry regulators. If there are gaps identified, you may need to develop more controls to close gaps and mitigate risk. Finally, implement guardrails using policy initiatives, using built-in or third-party tooling. Security guardrails are broad rules that prevent an insecure or not-policy-aligned action, but guardrails are not as narrow and directed as policy rules. For example, developers might be allowed to launch services that cannot be exposed to the public internet. The control that prevents that exposure is the guardrail. Depending on your control objectives, you might need to create custom policy and code to meet regulatory requirements. The control mapping process not only helps familiarize you and your team with the current controls, but also helps you understand how these controls line up with regulatory requirements. By mapping controls, you’ll be able to identify any missing controls, or gaps, and then adjust as needed. This process will mitigate risk and help avoid breaches and noncompliance.

2. Let's practice!

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.