Jim Hietala, GSEC, GCFW and CISSP, is the principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. Jim has provided consulting services to organizations such as SANS, The Open Group Security Forum, Logical Security, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, and others. He holds a B.S. in Marketing from Southern Illinois University. Editorial focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy
Jim can be reached at: jim@compliancefocus.com
A relatively new development in the IT-GRC world is a protocol developed by NIST, known as SCAP. SCAP stands for Security Content Automation Protocol. According to NIST …“SCAP is a suite of selected open standards that enumerate software flaws, security related configuration issues, and product names; measure systems to determine the presence of vulnerabilities; and provide mechanisms to rank (score) the results of these measurements in order to evaluate the impact of the discovered security issues.”
More than a low-level protocol, SCAP is a collection of related standards, that, taken together, facilitate both data gathering and scoring or ranking of vulnerabilities and risks.
· Common Vulnerabilities and Exposures (CVE®)
· Common Configuration Enumeration (CCE™)
· Common Platform Enumeration (CPE™)
· Common Vulnerability Scoring System (CVSS)
· Extensible Configuration Checklist Description Format (XCCDF)
· Open Vulnerability and Assessment Language (OVAL™)
To date, support for SCAP is being delivered by just a few vendors, including Secure Elements, Gideon Technologies, and Threat Guard (all are shipping certified SCAP compliant products.) Many more vendors are working on supporting SCAP.
The US federal government (Office of Management and Budget) is helping to accelerate support and adoption by mandating to federal CIO’s that "Information technology providers must use S-CAP validated tools, as they become available, to certify their products do not alter these configurations, and agencies must use these tools when monitoring use of these configurations."
Usage of SCAP can help to answer questions like:
“What do the configurations of my IT assets look like right now, and how close are they to known good/secure system configurations?”
“What vulnerabilities exist in my environment that I need to be worried about?”
The SCAP protocol, when fully embraced by vendors of asset management systems, security management systems, and IT-GRC tools, will enable automated data gathering that will greatly easy risk management, compliance management, and security operations. For the IT-GRC crowd in particular, SCAP can help move towards a more automated collection of the information used to measure IT risk and compliance, which will be very good news.
Jim Hietala, GSEC, GCFW and CISSP, is the principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. Jim has provided consulting services to organizations such as SANS, The Open Group Security Forum, Logical Security, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, and others. He holds a B.S. in Marketing from Southern Illinois University. Editorial focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy
Jim can be reached at: jim@compliancefocus.com
