David Ramirez, CISA, CISM, BS7799 LA, CISSP, MCSE, QSA
I had the pleasure of attending the 6th Annual IT Security Automation Conference at the end of September 2010
; it was very interesting to see how the Information Security Automation Program (ISAP) framework is being enhanced by including Open Checklist Interactive Language (OCIL) as well as planned updates to Security Content Automation Protocol (SCAP) and Open Vulnerability and Assessment Language (OVAL).
OCIL is an interesting addition to the framework because it provides a mechanism to manage compliance against non-automated controls, which, at the moment, are a challenge. Each organisation has a different mix of automated and non-automated controls; percentages of the two vary. However, there tends to be balance between the two, and in many cases, you have 40-45 percent of the controls being automated. This leaves almost half of the controls unmeasurable using OVAL and creates the need for a mechanism to help collect information on controls, such as re-validation of user IDs, incident investigations, analysis of change requests and disaster recovery testing. OCIL provides a framework for collecting that information in a consistent way and can help large organisations have consistency across all business units.
Sessions at the conference included very interesting demonstrations of SCAP/OVAL products, and it was good to see a live example of how to use current tools for compliance validation on Windows boxes.
The overall message was that the framework exists and is stable; however, not all operating systems are available as SCAP checklists. The National Vulnerability Database
offers SCAP checklists on several types of Windows products and also Red Hat Linux, and, based on comments from presenters, there may be some networking SCAP checklists released in the near future.