Return-Path: X-Original-To: scap_interest@ietfa.amsl.com Delivered-To: scap_interest@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 843B521E80D3 for ; Tue, 14 Feb 2012 13:48:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.598 X-Spam-Level: X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id thOeL64rcOlR for ; Tue, 14 Feb 2012 13:48:04 -0800 (PST) Received: from dalsmrelay2.nai.com (dalsmrelay2.nai.com [205.227.136.216]) by ietfa.amsl.com (Postfix) with ESMTP id 5E20521E8016 for ; Tue, 14 Feb 2012 13:48:04 -0800 (PST) Received: from (unknown [10.64.5.51]) by dalsmrelay2.nai.com with smtp id 0239_6dc7_8e4e1736_5755_11e1_93fc_00219b929abd; Tue, 14 Feb 2012 15:47:56 -0600 Received: from AMERDALEXMB1.corp.nai.org ([fe80::387d:3d79:ad3b:b517]) by DALEXHT1.corp.nai.org ([::1]) with mapi; Tue, 14 Feb 2012 15:46:57 -0600 From: To: , Date: Tue, 14 Feb 2012 15:47:29 -0600 Thread-Topic: [scap_interest] Just throwing this out there: Compliance Frameworks Thread-Index: AczrYiurhX3t074lStyhuKNG40cHyg== Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.14.0.111121 acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_CB602F342C555kentlandfieldmcafeecom_" MIME-Version: 1.0 Subject: Re: [scap_interest] Just throwing this out there: Compliance Frameworks X-BeenThere: scap_interest@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Feb 2012 21:48:05 -0000 --_000_CB602F342C555kentlandfieldmcafeecom_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Adam, I agree that an effort such as this has great potential. Think of the cont= ent authors today. They use XML Editors or internally developed tools to cr= eate OVAL to do the compliance checking. This is very time consuming and v= ery costly, while limiting the available checks and benchmarks. If there was a means where all regulations and security policies could be u= niversally mapped and the specifics around them, based on individual platfo= rms, were also attached to each unified record, it is possible to auto gene= rate not just the benchmarks but the individual checks. Some of this resea= rch has been successful in the past. This is doable. The problem has been = there is not an authoritative source for that data. Today too many people are manually writing content that could be auto gener= ated from a database with the right schema and software. The problem thoug= h is as much on the front end as it is on the generation side. Someone nee= ds to maintain that information or have an infrastructure put in place wher= e guidance authors for regulations or security policies can update their in= formation in the shared datastore. I think this is one of the missing pieces and it may be useful to have a di= scussion with interested parties but you would need to include participants= from the two mentioned efforts below. Kent Landfield Director Content Strategy, Architecture and Standards McAfee | An Intel Company 5000 Headquarters Dr. Plano, Texas 75024 Direct: +1.972.963.7096 Mobile: +1.817.637.8026 Web: www.mcafee.com From: Adam Montville > Date: Tue, 14 Feb 2012 15:09:34 -0600 To: "scap_interest@ietf.org" > Subject: [scap_interest] Just throwing this out there: Compliance Framework= s All, I had a brief discussion with several members of this list with respect to = compliance frameworks, which met some resistance. Still, I think presentin= g the idea to a larger audience to solicit feedback is a good idea. >From an automation perspective, it seems that some method of being able to = map benchmark-level tests to some higher level policy representation may be= warranted. At the end of the day, we perform assessments to ensure that w= e are in a secure state =96 to be compliant with a particular set of polici= es. Is there any interest in being able to represent a compliance framework wit= h either a new specification or potentially revitalizing and extending an e= xisting specification (CCI: http://iase.disa.mil/stigs/cci.html), or to sim= ply rely upon any existing commercial efforts, such as UCF (https://www.uni= fiedcompliance.com)? Or, is this type of representation simply not needed =96 there's enough the= re, the present demand doesn't justify the work, or something else? Thoughts? Regards, Adam W. Montville | Security and Compliance Architect Direct: 503 276-7661 Mobile: 360 471-7815 TRIPWIRE | Take CONTROL http://www.tripwire.com _______________________________________________ scap_interest mailing list scap_interest@ietf.org https://www.ietf.org/mailman/listinfo/scap_interest --_000_CB602F342C555kentlandfieldmcafeecom_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable
Adam,
=

I agree that an effort such as this has great potential= .  Think of the content authors today. They use XML Editors or interna= lly developed tools to create OVAL to do the compliance checking.  Thi= s is very time consuming and very costly, while limiting the available chec= ks and benchmarks.

If there was a means where all = regulations and security policies could be universally mapped and the speci= fics around them, based on individual platforms, were also attached to each= unified record, it is possible to auto generate not just the benchmarks bu= t the individual checks.  Some of this research has been successful in= the past.  This is doable. The problem has been there is not an autho= ritative source for that data.  

Today too ma= ny people are manually writing content that could be auto generated from a = database with the right schema and software.  The problem though is as= much on the front end as it is on the generation side.  Someone needs= to maintain that information or have an infrastructure put in place where = guidance authors for regulations or security policies can update their info= rmation in the shared datastore.  

I thi= nk this is one of the missing pieces and it may be useful to have a discuss= ion with interested parties but you would need to include participants from= the two mentioned efforts below.

Kent Landfield= <= br>Directo= r Content Strategy, Architecture and Standards

McAfee | An Intel Company
5000 Headquarters Dr.
Plano, Texas 75024
<= span class=3D"Apple-style-span" style=3D"font-size: 12px; color: rgb(96, 10= 6, 113); -webkit-border-horizontal-spacing: 1px; -webkit-border-vertical-sp= acing: 1px; font-family: Arial, Helvetica, sans-serif; ">
Direct: +1.972.963.7= 096 <= br>Mobile:= +1.817.637.8026
Web: www.mcafee.com

From: Adam = Montville <amontville@tripwir= e.com>
Date: Tue, 14 Feb= 2012 15:09:34 -0600
To: "= scap_interest@ietf.org" = <scap_interest@ietf.org>= ;
Subject: [scap_interest] Just= throwing this out there: Compliance Frameworks

All,
<= div>
I had a brief discussion with several members of this li= st with respect to compliance frameworks, which met some resistance. &= nbsp;Still, I think presenting the idea to a larger audience to solicit fee= dback is a good idea.

From an automation perspecti= ve, it seems that some method of being able to map benchmark-level tests to= some higher level policy representation may be warranted.  At th= e end of the day, we perform assessments to ensure that we are in a secure = state =96 to be compliant with a particular set of policies.

=
Is there any interest in being able to represent a compliance fr= amework with either a new specification or potentially revitalizing and ext= ending an existing specification (CCI: http://iase.disa.mil/stigs/cci.html), or to simply rely upo= n any existing commercial efforts, such as UCF (https://www.unifiedcompliance.com)?

Or, is this type of representation simply not needed =96 there's e= nough there, the present demand doesn't justify the work, or something else= ?

Thoughts?

Regards,

Adam W. Montville | Security and Compliance Architect<= /div>

Direct: 503 276-7661
Mobile: 360 471-781= 5

TRIPWIRE | Take CONTROL

= _______________________________________________
scap_interest mai= ling list
<= div>
--_000_CB602F342C555kentlandfieldmcafeecom_--