Open adammontville opened 5 years ago
wmunyan
commented
5 years ago M1 = Given a set of configuration recommendations for approved software, including OS M2 = Given an inventory of approved software, including OS M3 = Given a repository of assessment results
Benchmark Coverage (0-1) = M1/M2 Can calculate Assessment Coverage based on Benchmark Coverage and assessment results in the repository
apiperCIS
commented
5 years ago We discussed 5.1 and 5.2 in parallel. Essentially what we described was that every secure configuration in 5.1 should map to at least one image in 5.2, and that an image in 5.2 could have multiple secure configurations from 5.1 mapped to it. Then, any particular machine would have a single image mapped to it, but a single image could be mapped to many machines.
adammontville
commented
5 years ago Rough proposal:
Input1) Authorized software list (see Control 2) Input2) List of enterprise security configuration standards
Test1) Set calculation - intersection (M1), left (M2), right (M3)
M1: Intersection of Input1 and Input2 (1:1 mapping - good) M2: Authorized software without configuration standard (left of the set calculation) M3: Enterprise security configuration standards for unauthorized software (right of the set calculation) M4: Count of authorized software
Metric(s):
Percentage Coverage: (M4 - M2) / M4
Optional: Might consider feeding M3 back into software inventory in some way - M3 greater than zero may indicate that unauthorized software existed at some point in time?
apiperCIS
commented
5 years ago This works for me
adammontville
commented
5 years ago Should we consider use of Venn diagrams here? Perhaps... (See Zack?)
wmunyan
commented
5 years ago Accepted at 6/12 meeting
Maintain documented, standard security configuration standards for all authorized operating systems and software.
Measures
Metrics/KEI
None providedThis doesn't have to be manual. Imagine interrogating CIS-CAT for the set of benchmarks/policies it contains and comparing that against the known list of approved software.