SESSION ID:#RSAC
David WaltermireSECURITY AUTOMATION SIMPLIFIED
VIA NIST OSCAL: WE’RE NOT IN KANSAS
ANYMOREGRC -F01
Security Automation Architect
National Institute of Standards and Technology (NIST)Anil Karmel
Co-Founder and CEO
C2 Labs
@anilkarmel#RSAC
Agenda
2We’re not in Kansas anymore
NIST OSCAL: Technical Overview
Where does the yellow brick road lead?
Live Demo
Why does this matter?
Q&A
#RSAC
WE’RE NOT IN KANSAS ANYMORE#RSAC
Why OSCAL?
4Information Technology is complex
Security Vulnerabilities are everywhere
Regulatory Frameworks are burdensome
Risk Management is hard
Documentation is out of date#RSAC
Major challenges in security controls
assessment
5Security controls and profiles are represented in proprietary ways
Profile mappings to catalogs are often imprecise, not machine
-readable
Systems with many components require different profiles per component
Multi
-tenant and mixed ownership of components complicate assessment
A single system may be subject to several regulatory frameworks
Security control assessment is a complex, largely manual process
SESSION ID:#RSAC
#RSAC
NIST OPEN SECURITY CONTROLS
ASSESSMENT LANGUAGE (OSCAL)
Technical Overview#RSAC
What is OSCAL?
8New “Standard of Standards” normalizing how system security controls
and corresponding assessment information are represented;
Standardized: Provide security control, control implementation, and assessment
information in an open, standardized way that can be used by both humans and machines
Interoperable: Ensure OSCAL is well -defined so tools using OSCAL information are
interoperable and use information consistently
Easy to use: Promote developer adoption of OSCAL so tools are available for organizations
to build, customize, and use OSCAL information
Improve the efficiency, accuracy, and consistency of system security
assessments.#RSAC
OSCAL goals
9Have OSCAL
-enabled tools (existing and new) and OSCAL -formatted
content widely available
Have OSCAL use enable:
A large decrease in assessment
-related labor
The ability to assess a system’s security much more often, ideally continuously
The ability to assess a system’s compliance with several sets of requirements
simultaneously
The consistent performance of assessments, regardless of system type
#RSAC
A note about terminology
10OSCAL Term Meaning
Control A safeguard or countermeasure designed to satisfy a set of defined
security requirements. [based on NIST SP 800 -53 definition]
Catalog A set of security control definitions. Examples include the hundreds of
controls in NIST SP 800 -53, the 100+ controls in ISO 27002, and the
practices in COBIT 5.
Profile A set of security requirements; also called a baseline or overlay. Examples
include the control baselines in NIST SP 800 -53, the FedRAMP baselines,
and the PCI DSS requirements.
grc-f01-security-automation-simplified-via-nist-oscal-we_re-not-in-kansas-anymore
安全标准 >
NIST >
文档预览
中文文档
31 页
50 下载
1000 浏览
0 评论
0 收藏
3.0分
温馨提示:本文档共31页,可预览 3 页,如浏览全部内容或当前文档出现乱码,可开通会员下载原始文档
本文档由 思安 于 2022-12-05 09:20:57上传分享