Core Functionalities

Compliance Management
Table of Contents
Why this Chapter is Important 3

Basic Concepts 3
Compliance Package and Items 4
Compliance Treatment 5
Compliance Findings 6

Compliance Management 6
Uploading a Compliance Package 6
Editing Compliance Packages 8
Duplicating Compliance Packages 8
Deleting Compliance Packages 8
Mapping Compliance Requirements 9
Manual Mapping Definitions 11
CSV Mapping Definitions 13
Linking GRC Elements 14
Creating Audit Findings 15

Additional Features 16
Notifications 16
Filters 17
Reports 17

ANNEX 17
Compliance Package CSV Format 17
Pre-Compiled CSV Packages 18
Why this Chapter is Important
This module helps you to analyze and understand how compliant you are against a set
of legal, contractual, regulatory requirements, or standards such as PCI-DSS, ISO 27001,
etc.

WARNING - BEFORE ATTEMPTING TO READ THIS GUIDE, MAKE SURE YOU READ
AND UNDERSTAND HOW BASIC GRC RELATIONSHIPS WORK IN ERAMBA AND HAVE
NOT SKIPPED ANY PREVIOUS STEPS

Basic Concepts
Essentially, this module helps you to map each requirement from a compliance package
(e.g., PCI, ISO, etc.) with GRC elements with the objective of describing how each
requirement is being met by your organization.

The screenshot above shows a partial view of Compliance Management / Compliance

Analysis in which you can see PCI requirements and the “Status” of Controls, Policies,
etc, that are mapped to each requirement. The actual mapping is not shown on the
screenshot (this is further to the right on the filter).

Eramba ships empty, this means when you do a clean install you won't find any
compliance packages (e.g., PCI, ISO, Etc) or GRC elements (e.g., controls, policies, risks,
etc). It’s your responsibility to design and create these to your individual needs.

The Compliance Management module is split across three key sections, the following
table provides a brief summary of their function.

Module Objective
 Compliance Management /
Manage the library of things you need to be compliant with.
Compliance Packages

Compliance Management / Link GRC elements (Controls, Policies, Etc) with the compliance
Compliance Analysis requirements defined on the previous module.

Compliance Management / Document audit findings that affect one or more compliance
Compliance Analysis Findings requirements.

Compliance Package and Items

A compliance package is the list of requirements that form a standard, law, or contract
that must be adhered to, typically examples are: PCI-DSS, ISO 27001, etc. Compliance
Package Items are the actual requirements inside a compliance package, for example
5.3.3 on ISO 27001.

In Compliance Management / Compliance Packages, you can manage the library of the
packages by uploading, deleting, or editing them - as you can see on the screenshot
below two tabs exist on this section, one with the packages and the other with the
items.

Clicking on the number of items for each compliance package will take you to the
Compliance Package Items tab with a filter view for these packages in particular.

You can define your own compliance packages using a CSV file (we have a standard
format you need to follow) and upload them to Eramba using an import function.
Additionally, there is a list of pre-compiled packages (commonly used) that are ready for
upload.
Once compliance packages are uploaded, you can start working on how to meet (or not)
each one of these requirements by linking controls, risks, policies, etc.

Compliance Treatment
Treatment is defined by the associated module within Eramba that is used to meet a
requirement, whether it be policies, controls, etc.

In the likely scenario that you need to be compliant with multiple compliance packages
at the same time (e.g., ISO, PCI, etc.), you can reuse (leverage) one control, policy, or risk
for more than one compliance requirement. You may link it with as many as needed.

A summary of all relationships is described in the following table:

Module Item General reason to do so

Link one or more policies from. For example: ISO 5.1.1, PCI
Control Catalogue / Policies
1.1.3, Etc.
Control Catalogue / Internal Controls Link one or more controls. For example: ISO 6.12, 9.1.2, Etc.

Compliance Mgt / Compliance

Link one or more audit findings
Analysis Findings

Link one or more exceptions, for example when ISO or PCI

Compliance Mgt / Compliance
requirements are not applicable since they are out of the scope
Exceptions
of the organization.

Link one or more risks, some ISO auditors might want to see
Risk Mgt / All three types of Risk
risks linked to ISO 27002 controls.

Link one or more assets to each requirement to define the

Asset Mgt / Asset Identification scope of the requirement (what systems, etc are affected by the
requirement)

Compliance Findings
In order to demonstrate compliance, inevitably you will need to be assessed by an
independent auditor. Audits inherently result in findings that must be mitigated by a
given date.

Under Compliance Mgt / Compliance Analysis Findings, you can document audit
findings and link them with one or more compliance package requirements to make it
clear what items the findings apply to.

Compliance Management

Uploading a Compliance Package

In order to upload a compliance package click on “Add” and complete the form, some
fields are mandatory and some are optional.
The “owners” you define here will be the ones which automatically will have access to
this package (at Compliance Management / Compliance Analysis), you can of course
adjust this setting by adding or removing users and groups at any time.

Keep in mind that you can create multiple Compliance Packages in case you need to
upload multiple compliance packages, for example:

● PCI-DSS
● PCI-DSS Production Datacenter
● ISO 27001 India
● ISO 27001 UK

Once the compliance package is created you can go to Compliance Management /

Compliance Packages and click on Actions / Imports. You can upload your custom
made CSV file or one of our pre-compiled packages.

The import uses our standard import function, so any errors on the CSV file will be
shown to you before Eramba completes the import. Once the import is complete, you
will see the package as a new filter on the section.
Editing Compliance Packages
Once a compliance package has been uploaded. You might need to edit its content (e.g.,
add, delete or modify rows), you can do this directly from Eramba (imports won't
overwrite existing packages).

You can edit directly from the filters or by using the menu / Edit form or click on Add /
New Item.

Duplicating Compliance Packages

Occasionally, a new version of a standard/framework is released, and you need to
update your compliance package.

To deal with this situation you have two (2) options:

● If the changes against the old standard are not too big, it is easier to “Duplicate”
an existing compliance package (to make a backup) and edit the cloned copy by
adding, editing and deleting the changes (rows).
● If the changes are considerable, then it is perhaps best to build a new CSV and
import it as a new Third Party. You will then need to re-associate all GRC
elements to each item (see next section).

Cloning a compliance package will not just duplicate the items on the compliance
package. It also clones all the GRC elements that have been assigned to them using
Compliance Management / Compliance Analysis.

Deleting Compliance Packages

To delete a compliance package and all its associated items you need to delete the Third
Party. There is no restore option once this is done.
Mapping Compliance Requirements
Sometimes requirements from different publishers (PCI, ISO, NIST, Etc) are so similar
that they can be considered to be “equals”. In this case you can instruct eramba to keep
any treatment you have in mind (Internal Controls, Policies, Projects, Etc) in complete
synchronization in between those requirements you consider to be the same.

Imagine in your view PCI 2.3.5 is similar to PCI 2.3.6 and HIPAA 5.4 and 800-53 item
1.4.b. So your Internal Control “AD Security Standards” that you have been using for PCI
2.3.5 can be used as well for the other three requirements.

You can now define those mappings in eramba (manually or with CSV imports) and
from that point in time any treatment (control, policy, risk, etc) on PCI 2.3.5 (the origin)
will be copied to the other items (destinations).

The fields being synchronized from the origin to the destination compliance items are
the following:

● Internal Controls
● Policy Management
● Compliance Exceptions
● Asset Risk
● Third Party Risks
● Business Continuity Plans
● Assets

Note: You can not define what fields will be synchronized

Once mappings have been defined, you can go to the compliance analysis module
(Compliance Management / Compliance Analysis) and if you edit an item and the item
has mappings defined you will notice a warning on the fields:
This means whatever you define in these fields will be copied to all mapped items. You
can see what items are mapped on the “Mappings” tab.

On the Compliance Analysis module you might want to see what items are mapped as
soon as you list compliance items, for that you will need to edit filters and enable the
field to be displayed on the default filter.

If the items have mapped items it will then be visible as a new column on the filter.
Note that a mapping is defined by telling eramba who is the origin and the destination
(multiple). This means that whatever treatment (policies, controls, etc) are defined on
the origin will be copied automatically to the destination. Since the destination is being
synchronized with the origin, you won't be able to edit the fields above on the
destination once a mapping has been defined.

Note this is an enterprise feature.

Manual Mapping Definitions

Before you can begin using this feature you will need to have at least one compliance
package uploaded using the Compliance Management / Compliance Packages module.
In that same module the Compliance Mapping tabs is the one you will use to define
your mappings.
Creating mappings is simply telling eramba what compliance package item (just one) is
related to what items (more than one). In the scenario described above you will need to
define three mappings.

Source Destination

PCI 2.3.5 PCI 2.3.6

PCI 2.3.5 HIPAA 5.4

PCI 2.3.5 HIPAA 1.4.B

By clicking on Actions / Add you can define each one of these mappings.

You will define the origin and destination of the mapping, remember anything defined
on the origin (controls, policies, etc) will be copied to the destinations automatically.

As you define your mappings, they will be shown on the filter below. At any point in time
you can edit or delete these mappings.
If you create a map for PCI 3.4.5 (which lets assume already has some treatment, such
as Internal Controls, Policies, Etc) to ISO 5.6.7 - as soon as you save the new mapping
the synchronization will take place and whatever PCI 3.4.5 has will be copied to ISO
5.6.7. You won't be able to edit the mitigation fields on ISO 5.6.7 as they are all the time
inherited by the PCI requirements.

If you delete an existing mapping the items involved will not change its treatment.
Everything will stay as it was before the deletion took place.

If you edit a mapping, those new items included on the edition will be synchronized
automatically. Items removed on the edition will be left as they were before the edition
took place.

CSV Mapping Definitions

The same task described above can be imported using CSV files. The CSV template can
be downloaded from Actions / Import / Download Template and it must be completed
according to the following instructions:

● You need 6 columns

● First three define the origin , the other three the destination
● Origin and Destination are composed of:
○ Compliance Package Name
○ Chapter Number
○ Item ID
Remember that the compliance package name, chapter ID and item ID can be easily
obtained from the compliance package section.

Linking GRC Elements

Once your compliance requirements (Compliance Package) are in the system you can
start linking (i.e., mapping) them to the associated GRC elements by simply clicking on
the menu of the item and then “Editing” it.
Alternatively, you can also update these fields using the inline filter function, simply
hover over the cell you want to update and click edit.

The form that handles this is self-explanatory, bear in mind that not all fields are
mandatory so the way you describe each item is entirely up to you. If you haven't used
Eramba before, we recommend you prepare all your controls and policies in a CSV file,
import them and then simply do the linking.

Our template standards include ready to import control and policies for ISO, PCI, and
HITRUST. Please review our documentation guides.

Creating Audit Findings

At the Compliance Management / Compliance Analysis Findings you can record audit
findings and optionally link them to the actual compliance requirements (from
Compliance Management / Compliance Analysis) that triggered the findings.
The module accepts imports, notifications, filters, reports, etc. just like any other
Eramba module. To create a new finding simply click on Actions / Add.

The form is simple, you should not have any trouble completing it. Keep in mind the
status “Open” and “Closed”, if a finding is “Open” and the deadline is in the past a status
will trigger: “Expired”.

Additional Features

Notifications
Please review the notifications documentation on how to configure this notification.
Here a few ideas on types of notifications you can use:

Tab Notification Type Ideas

Compliance Management Notify the item owner every time a comment or

Attachments & Comments
/ Compliance Analysis attach is included.

Reminder to the requirement owner that they

Compliance Management
Awareness must keep work up to date to ensure they meet
/ Compliance Analysis
the requirement they have been assigned.

Compliance Management Weekly report listing compliance requirements

Filter
/ Compliance Analysis that have failed audits or missing reviews.

In terms of Compliance Analysis Findings, the suggestions are:

Tab Notification Type Ideas

Compliance Management
Notify the item owner every time a comment or
/ Compliance Analysis Attachments & Comments
attach is included.
Finding

Compliance Management
Reminder to the finding owner that there is an
/ Compliance Analysis Awareness
item assigned to them.
Finding
 Compliance Management Weekly report listing all compliance findings which
/ Compliance Analysis Filter will soon have a deadline or have already expired
Finding the deadline.

Compliance Management
Send reminders 30,15,10,5, Etc days before the
/ Compliance Analysis Warning
deadline for any given finding.
Finding

Filters
The system comes with multiple filters (these cannot be removed or modified) created
and many more can be created to help manage the system.

Reports
The system comes with multiple system reports created (these cannot be removed or
modified) and many more can be created to help manage the system. Please review the
report documentation to understand the full capabilities of this feature.

ANNEX

Compliance Package CSV Format

If you want to upload your own compliance package you need to create a CSV file and
ensure it’s formatted in such a way that eramba can understand the contents. We
organize compliance packages (CSV files) into “chapters” and “items” (which are inside
chapters):

● Chapters are composed of three fields: ID, name, description

● Items are composed of four fields: ID, name, description and an additional field
“Questions” which we use if we want to show the auditor or compliance manager
how to comply or audit a requirement.

We will provide you with an example using PCI-DSS requirement 2 as a reference:

In the image above, you see the chapter row (composed of three fields), the item row
(four fields) and how we translated a PCI requirement into a CSV formatted file (imagine
the chapter and item all in one straight row). Remember to remove all commas from
the files!

You may also use them to see examples of how a custom compliance package can be
produced. You will need to prepare a CSV (Excel can deal with CSV very easily) file with
the above fields (e.g., Compliance Package ID, name, description, Compliance Package
Item, name, description, question) completed.

WARNING
● Make sure you have all 7 columns required;
● If you are using Microsoft Excel, you need to save the spreadsheet as
“Windows CSV” (not DOS CSV);
● Make sure all cells have some text if you don't have anything to put just
write “Empty” or something so the cell is NOT empty
● Sometimes when exporting spreadsheets in CSV, empty lines are created at
the bottom of the CSV file, check with “notepad” or similar those have not
been created.

You may want to download an existing CSV file from our website as an example to
follow.

Pre-Compiled CSV Packages

You can download the CSV files for each standard and upload them to Eramba, they are
already pre-formatted and ready to be used.

Package Version Notes

PCI-DSS V3.1 3.1 https://www.pcisecuritystandards.org/

PCI-DSS V3.2 3.2 https://www.pcisecuritystandards.org/

PCI-DSS V3.2.1 3.2.1 https://www.pcisecuritystandards.org/

PCI-Card Production-Logical Security
2 https://www.pcisecuritystandards.org/
Requirements V2

PCI-Card Production-Physical Security

2 https://www.pcisecuritystandards.org/
Requirements V2

CYBERSECURITY REQUIREMENTS FOR March 1st,

FINANCIAL SERVICES COMPANIES (NEW 2017 - 500 See the official law codification
YORK STATE 500 of Title 23) of Title 23

201 CMR
Massachusetts General Law Chapter https://malegislature.gov/laws/generallaw
17.00
93H s/parti/titlexv/chapter93h

ISO 9001:2015 You need to provide evidence you

2015
purchased the standard to get a copy.

CIS Controls 8 https://www.cisecurity.org/controls/

CIS Controls 7.1 https://www.cisecurity.org/controls/

SANS – Critical Security Controls Top 20 3

NIST 800-53 v4 Revision 4 https://nvd.nist.gov/800-53

NIST 800-53 v5 Revision 5 https://nvd.nist.gov/800-53

NIST CyberSecurity Framework 1.0 https://www.nist.gov/cyberframework

NIST CyberSecurity Framework 1.1 https://www.nist.gov/cyberframework

NIST Privacy Framework 1.0 https://www.nist.gov/privacy-framework

ISO 27001:2013 You need to provide evidence you

2013
purchased the standard to get a copy.

ISO 27002:2013 You need to provide evidence you

2013
purchased the standard to get a copy.

ISO/IEC 27701 You need to provide evidence you

2019
purchased the standard to get a copy.

HIPAA Security Rule

HITRUST v8 8 https://hitrustalliance.net/

HITRUST CSF v9.3.1 9.3.1 https://hitrustalliance.net/

Cloud Security Alliance https://cloudsecurityalliance.org/research/

3.0.1
working-groups/cloud-controls-matrix/

SOC2 Report (Confidentiality, Security

2016
and Availability Principles)

SOC2 Report (Confidentiality, Security

2021 Thanks David Davis
and Availability Principles)
SWIFT CSP v1.0 https://www.swift.com/myswift/customer-
1.0
security-programme-csp

Cyber Essentials - UK https://www.cyberessentials.ncsc.gov.uk/

GDPR (2016/679) European Union

Australian NSW Cyber Security

Thanks ROSHAN FERNANDES
Framework

Australian Government ISM Thanks ROSHAN FERNANDES

Cybersecurity Maturity Model Office of the Under Secretary of Defense

1.0
Certification for Acquisition & Sustainment

NIST 800-171 2.0 NIST

You need to provide evidence you

Publically Available Specification purchased the standard to get a copy.
2018
1296: 2018
Thanks David Davis