Jim Hietala, CISSP, GSEC, is Research Director and a
principal of Compliance Research Group,
providing research, analysis, and consulting services in the areas of
compliance, risk management, and IT security. He is also the Vice President,
Security for The Open Group, where he manages all security and risk management
programs and standards activities.
Jim has provided research and consulting services to
organizations such as SANS, The Open Group, and a number of IT security and
compliance vendors. He is a frequent speaker at industry conferences, and he
recently authored a comprehensive course on IT risk management. He participates
in the SANS Analyst/Expert program, having written several research whitepapers
and participated in several webcasts for SANS. He has also published
numerous articles on information security, risk management, and compliance
topics in publications including The ISSA Journal, Bank Accounting &
Finance, Risk Factor, SC Magazine, and others.
An industry veteran, he has held leadership roles at
ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric
Network, and Digital Pathways. He developed and launched the industry’s first
remote access VPN service (Concentric RemoteLink) and encrypting ISDN router
(at Network Express), and launched a compliance and risk management software
start-up in the IT-GRC market.
He holds a B.S. in Marketing from Southern Illinois
University.
Blog: www.compliancefocus.com
Twitter: http://twitter.com/jim_hietala
LinkedIn: http://www.linkedin.com/in/jimhietala
Blogging focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy
Jim can be reached at: jim@compliancefocus.com
A relatively new development in the IT-GRC world is a protocol developed by NIST, known as SCAP. SCAP stands for Security Content Automation Protocol. According to NIST …“SCAP is a suite of selected open standards that enumerate software flaws, security related configuration issues, and product names; measure systems to determine the presence of vulnerabilities; and provide mechanisms to rank (score) the results of these measurements in order to evaluate the impact of the discovered security issues.”
More than a low-level protocol, SCAP is a collection of related standards, that, taken together, facilitate both data gathering and scoring or ranking of vulnerabilities and risks.
· Common Vulnerabilities and Exposures (CVE®)
· Common Configuration Enumeration (CCE™)
· Common Platform Enumeration (CPE™)
· Common Vulnerability Scoring System (CVSS)
· Extensible Configuration Checklist Description Format (XCCDF)
· Open Vulnerability and Assessment Language (OVAL™)
To date, support for SCAP is being delivered by just a few vendors, including Secure Elements, Gideon Technologies, and Threat Guard (all are shipping certified SCAP compliant products.) Many more vendors are working on supporting SCAP.
The US federal government (Office of Management and Budget) is helping to accelerate support and adoption by mandating to federal CIO’s that "Information technology providers must use S-CAP validated tools, as they become available, to certify their products do not alter these configurations, and agencies must use these tools when monitoring use of these configurations."
Usage of SCAP can help to answer questions like:
“What do the configurations of my IT assets look like right now, and how close are they to known good/secure system configurations?”
“What vulnerabilities exist in my environment that I need to be worried about?”
The SCAP protocol, when fully embraced by vendors of asset management systems, security management systems, and IT-GRC tools, will enable automated data gathering that will greatly easy risk management, compliance management, and security operations. For the IT-GRC crowd in particular, SCAP can help move towards a more automated collection of the information used to measure IT risk and compliance, which will be very good news.