Control Mapping
Purpose
This page documents how internal security controls in the Scheol Security Lab are mapped to external security frameworks.
The goal is to ensure:
- traceability between risks, controls, and frameworks
- consistent security reasoning across the lab
- audit-oriented documentation structure (simulation level)
This mapping does not represent compliance.
Control Domains
Controls are grouped by functional domains to ensure consistency with the Risk Register.
C-001 - Identity & Access Control
Description
Controls related to authentication, authorization, and privileged access management.
Mitigated Risks
- R-003 - Compromise of administrative access path
- R-005 - Credential theft and privilege escalation
- R-006 - Identity system compromise (AD/LDAP)
Framework Alignment
| Framework | Reference |
|---|---|
| ISO 27001 | A.5 Access control / A.8 Identity management |
| NIST CSF | PR.AC, PR.AA |
| GDPR | Art. 32 (access control & security of processing) |
C-002 - Network Segmentation & Exposure Control
Description
Controls enforcing segmentation between trust zones and limiting exposure of services.
Mitigated Risks
- R-001 - Service co-location and weak isolation risk
- R-002 - Network misconfiguration exposing internal services
- R-007 - Web application compromise (exposure amplification)
Framework Alignment
| Framework | Reference |
|---|---|
| ISO 27001 | A.8 Network security |
| NIST CSF | PR.AC, PR.PT |
| GDPR | Art. 32 (confidentiality safeguards) |
C-003 - Logging, Monitoring & Detection
Description
Controls ensuring system visibility, detection capability, and auditability.
Mitigated Risks
- R-008 - Logging and detection blind spots
- R-003 - Compromise of administrative access path (detection gap)
Framework Alignment
| Framework | Reference |
|---|---|
| ISO 27001 | A.8 Logging and monitoring |
| NIST CSF | DE.CM, DE.AE |
| GDPR | Art. 32 (integrity and availability of processing systems) |
C-004 - CI/CD & Supply Chain Security
Description
Controls protecting automation pipelines, deployments, and code integrity.
Mitigated Risks
- R-009 - CI/CD pipeline compromise
- R-005 - Credential theft and privilege escalation
- R-001 - Cross-service compromise via deployment chain
Framework Alignment
| Framework | Reference |
|---|---|
| ISO 27001 | A.8 Change management |
| NIST CSF | PR.IP, ID.SC |
| GDPR | Art. 32 (system integrity) |
C-005 - Backup & Recovery Controls
Description
Controls ensuring data resilience, recovery capability, and backup integrity.
Mitigated Risks
- R-004 - Backup integrity or availability failure
Framework Alignment
| Framework | Reference |
|---|---|
| ISO 27001 | A.8 Backup management |
| NIST CSF | RC.RP |
| GDPR | Art. 32 (availability & resilience) |
C-006 - Web Application Security Controls
Description
Controls protecting exposed applications against common web vulnerabilities.
Mitigated Risks
- R-007 - Web application compromise (RCE / SQLi)
- R-010 - Data exfiltration from business applications
- R-002 - Exposure due to misconfiguration
Framework Alignment
| Framework | Reference |
|---|---|
| ISO 27001 | A.8 Application security |
| NIST CSF | PR.IP, PR.DS |
| GDPR | Art. 32 (confidentiality of processing) |
Current Maturity
Established
- stable control domains aligned with risk register
- consistent mapping structure
- clear separation of control responsibilities
In Progress
- refinement of technical control implementation detail
- improvement of monitoring/evidence linkage
- better granularity for identity and logging controls
Planned / Next Phase
- evidence-backed control validation (to be used in Validation & Monitoring)
- finer mapping to sub-controls (where relevant)
- expansion of CI/CD and identity hardening depth