Information System Regulatory Mapping

The main focus here is to ensure that all regulatory requirements are identified, and that the compliance effort of the business takes them into account.

Cloud Controls Matrix (CCM) Data

Array

CO-05 | Compliance | Information System Regulatory Mapping

Control Specification +-

Statutory, regulatory, and contractual requirements shall be defined for all elements of the information system. The organization's approach to meet known requirements, and adapt to new mandates shall be explicitly defined, documented, and kept up to date for each information system element in the organization. Information system elements may include data, objects, applications, infrastructure and hardware. Each element may be assigned a legislative domain and jurisdiction to facilitate proper compliance mapping.

Architectural Relevance +-

PhysicalNetworkComputeAppData
True True True True True

Corp Gov Relevance +-

Corp Gov Relevance
True

Cloud Service Delivery Model Applicability +-

SaaSPaaSIaaS
True True True

Supplier Relationship +-

Service ProviderTenant / Consumer
True True

Scope Applicability +-

COBIT 4.1HIPAA / HITECH ActISO/IEC 27001-2005

ME 3.1

ISO/IEC 27001:2005
Clause 4.2.1 b) 2)
Clause 4.2.1 c) 1)
Clause 4.2.1 g)
Clause 4.2.3 d) 6)
Clause 4.3.3
Clause 5.2.1 a - f
Clause 7.3 c) 4)
A.7.2.1
A.15.1.1
A.15.1.3
A.15.1.4
A.15.1.6

NIST SP800-53 R3FedRAMP (Final 2012) Low ImpactFedRAMP (Final 2012) Moderate ImpactPCI DSS v2.0

AC-1
AT-1
AU-1
CA-1
CM-1
CP-1
IA-1
IA-7
IR-1
MA-1
MP-1
PE-1
PL-1
PM-1
PS-1
RA-1
RA-2
SA-1
SA-6
SC-1
SC-13
SI-1

NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IA-7
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SA-6
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SI-1

NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IA-7
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SA-6
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13 (1)
NIST SP 800-53 R3 SI-1

3.1.1
3.1

BITS Shared Assessments SIG v6.0BITS Shared Assessments SIG v5.0GAPP (Aug 2009)

L.1, L.2, L.4, L.7, L.9

1.2.2
1.2.4
1.2.6
1.2.11
3.2.4
5.2.1

Jericho ForumNERC CIP

Commandment #1
Commandment #2
Commandment #3

Array

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Compliance (CO) | ID #CO-05.1

Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 ME 3.1

ISO/IEC 27001:2005
Clause 4.2.1 b) 2)
Clause 4.2.1 c) 1)
Clause 4.2.1 g)
Clause 4.2.3 d) 6)
Clause 4.3.3
Clause 5.2.1 a - f
Clause 7.3 c) 4)
A.7.2.1
A.15.1.1
A.15.1.3
A.15.1.4
A.15.1.6

FedRAMPPCI_DSSBITSGAPP

PCI DSS v2.0 3.1.1
PCI DSS v2.0 3.1

SIG v6.0: L.1, L.2, L.4, L.7, L.9

GAPP Ref 1.2.2
GAPP Ref 1.2.4
GAPP Ref 1.2.6
GAPP Ref 1.2.11
GAPP Ref 3.2.4
GAPP Ref 5.2.1

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Compliance (CO) | ID #CO-05.2

Do you have capability to logically segment and recover data for a specific customer in the case of a failure or data loss?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 ME 3.1

ISO/IEC 27001:2005
Clause 4.2.1 b) 2)
Clause 4.2.1 c) 1)
Clause 4.2.1 g)
Clause 4.2.3 d) 6)
Clause 4.3.3
Clause 5.2.1 a - f
Clause 7.3 c) 4)
A.7.2.1
A.15.1.1
A.15.1.3
A.15.1.4
A.15.1.6

FedRAMPPCI_DSSBITSGAPP

PCI DSS v2.0 3.1.1
PCI DSS v2.0 3.1

SIG v6.0: L.1, L.2, L.4, L.7, L.9

GAPP Ref 1.2.2
GAPP Ref 1.2.4
GAPP Ref 1.2.6
GAPP Ref 1.2.11
GAPP Ref 3.2.4
GAPP Ref 5.2.1

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True