We've discussed this some previously, but it might be worthwhile for us to codify it. This includes concepts like:
1) Should we be checking that the Sub-Control itself is implemented, or checking for the effects of that Sub-Control having been implemented?
2) A closely related question is - should we check for a particular configuration, or should we perform more involved or active testing to verify the results?
One idea that was floated was the concept of different levels of measurement - that is Level 1 is performing the more basic check to see if the Sub-Control itself has been implemented (often a configuration check), while a higher order Level 2 check could be the more complex checks (active testing, etc.) to measure the security benefit of that configuration, etc.
Since those discussions, that's generally how I've been trying to write proposals - focusing on the Level 1 configuration checks whenever possible (whenever the Sub-Control lends itself to such a check).
Is this indeed what we've decided on? And, whatever we decide on this, we should consider making this part of our standardization review at the end to ensure that we're adhering to it. (Also, a reminder - Tony indicated a while back that he would be happy to discuss guiding principles for CAS with us).
We've discussed this some previously, but it might be worthwhile for us to codify it. This includes concepts like: 1) Should we be checking that the Sub-Control itself is implemented, or checking for the effects of that Sub-Control having been implemented? 2) A closely related question is - should we check for a particular configuration, or should we perform more involved or active testing to verify the results?
One idea that was floated was the concept of different levels of measurement - that is Level 1 is performing the more basic check to see if the Sub-Control itself has been implemented (often a configuration check), while a higher order Level 2 check could be the more complex checks (active testing, etc.) to measure the security benefit of that configuration, etc.
Since those discussions, that's generally how I've been trying to write proposals - focusing on the Level 1 configuration checks whenever possible (whenever the Sub-Control lends itself to such a check).
Is this indeed what we've decided on? And, whatever we decide on this, we should consider making this part of our standardization review at the end to ensure that we're adhering to it. (Also, a reminder - Tony indicated a while back that he would be happy to discuss guiding principles for CAS with us).