Common Control Framework

To compare controls from two or more standards:

  1. Go to Content > Controls and Questionnaires.
  2. Expand the Controls and Questionnaires tree and go to Controls and Questionnaires >  Content > Controls > Standards. A grid view of the available standards appears in the right pane.
    A grid view of the available standards.
  3. Select two standards, then click View Common Controls to open the Common Control Report.
    The Common Control Report.

    The Common Control Report shows a visual comparison of the sub-controls common to the selected standards. For example, "CSC-5.1 Automated tools to continuously monitor" has sub-controls in common with both NIST SP 800-53 (2013) and SANS 20 Critical Security Controls V5.0.

  4. Optional: Click on a check mark in the standard column to see details of the common sub-controls.

  5. Optional: Click on a sub-control to display a pop-up with information related to the sub-control.

    If the sub-control identifier of the first sub-control is used as a reference number in the second sub-control or vice versa, then those two sub-controls are common controls.

    You can now compare the degree of overlap between the controls and sub-controls of the various frameworks and regulations that you need to comply with. You can also see the controls and sub-controls from which answers can be copied.

Example 1

EXAMPLE
Organization ABC is completing the following assessment: 
Program NameCompliance with Access Control
Entity ABC Office
Security OwnerJohn J
Controls in useNIST SP 800-53 (2013)
  • AC-1 ACCESS CONTROL POLICY AND PROCEDURES
  • AC-11 SESSION LOCK
  • AC-12 SESSION TERMINATION
Mike, the entity owner, answers the questions from the above control. John, the security owner, approves the responses and signs off on the assessment. The compliance scores are calculated and the risk is determined.

The completed assessment.

Example 2

EXAMPLE
You want to create a new program with the following details: 
Program NameAccess Control practices
Entity ABC Office
Entity OwnerMike L
Security Owner John J

When creating the program, click New Program wizard > Options tab. Click Automatically answer unanswered controls using results from related controls.

This will ensure that if the questionnaire in the current program is not answered, the unanswered controls will use results from related controls that were answered in a different assessment. This is where the Common Controls Framework comes into use. If the controls overlap, then the responses used to answer controls in one assessment will be automatically re-used to answer controls in a different assessment.

  • Apply compliance score from the related controls: Responses from a related control will be used to calculate the compliance scores.
  • Apply answers from the related controls when controls have exactly the same set of choices: The framework will first validate if the same set of answer choices are used in the related controls. If they are, then they will be used as responses to the questionnaire.

Now, when an assessment using the control "Access Control practices" moves through the workflow, if it does not have responses to all the controls, responses from "Compliance with Access Control" program will be used (since the controls are common and overlapping), to populate the compliance scores.

The Common Control Framework only works when controls have the same question text and the same set of choices.