Wednesday, February 3, 2016

DRAFT Automation Support for Security Control Assessments

Here is a draft release that came out tonight for public review. This is solid. Well-thought out. Really looking forward to where this goes, and I'm going to be following this closely.

\\

**NIST IR 8011: DRAFT Automation Support for Security Control Assessments**
http://csrc.nist.gov/publications/drafts/nistir-8011/nistir_8011_ipd-draft_vol1_overview.pdf

[From Executive Summary]
Evolving threats create a challenge for organizations that design, implement, and operate complex information systems containing many moving parts. The ability to assess all implemented information security controls as frequently as needed using manual procedural methods has become impractical and unrealistic for most organizations due to the sheer size, complexity, and scope of their information technology footprint. Additionally, the rapid deployment of new technologies such as mobile, cloud, and social media brings with it new risks that make ongoing manual procedural assessments of all controls impossible for the vast majority of organizations. Today there is broad agreement in the information security community that once an information system is in production, automation of security control assessments1 is needed to support and facilitate near real-time information security continuous monitoring (ISCM).

[From Introduction]
Automated assessments have the potential to provide more timely data about security control defects (i.e., the absence or failure of a control), better enabling organizations to respond before vulnerabilities are exploited. Additionally, automated security control assessment has the potential to be less expensive and less human resource-intensive than manual procedural testing. Any realized savings could free up resources to be used on other activities, for example, investing in additional safeguards or countermeasures or responding to security defects and incidents in a more timely manner.

[Planned Volumes]
Volume 1 Automation Support for Security Control Assessments
Volume 2 Hardware Asset Management (HWAM)
Volume 3 Software Asset Management (SWAM)
Volume 4 Configuration Settings Management
Volume 5 Vulnerability Management
Volume 6 Boundary Management (Physical, Filters, and Other Boundaries)
Volume 7 Trust Management
Volume 8 Security-Related Behavior Management
Volume 9 Credentials and Authentication Management
Volume 10 Privilege and Account Management
Volume 11 Event (Incident and Contingency) Preparation Management
Volume 12 Anomalous Event Detection Management
Volume 13 Anomalous Event Response and Recovery Management