i've been doing cybersecurity mapping (identifying relationships between items in different standards or guidance documents) for my clients for quite a few years. My mappings have often been driven by intuition, but I've been researching the fields of concept systems and terminology science, and I'm adopting elements of them for my mappings. Recently I've contributed to NIST's OLIR documentation and a brand-new draft mapping of NCCoE ZTA functions to the NIST CSF and 800-53.
My research has included looking for other cybersecurity mapping methodologies. Unfortunately, other than finding the one for the CSA CCM (thank you, CSA!), I haven't had much luck. Google searches have largely been useless.
So I'm crowdsourcing my quest. If you know of any documented methods for cybersecurity mapping, whether they involve mapping controls, outcomes, skills, tools/technologies, attacks, vulnerabilities, whatever types of concepts--please let me know. I'll look at all your suggestions and compile and publish a list of them for community use.
Post a comment