Open aaronlippold opened 6 years ago
atomic111
commented
6 years ago @aaronlippold yes i agree, but the CIS Benchmark has just the two things: scored and not scored. that is the reason why i did just impact 0 and 1. Do you have any proposals?
aaronlippold
commented
6 years ago @atomic111 @rx294 My team and I just had a conversation about this with respect to the cis-aws-foundations-benchmark. My thinking was with respect to the goal or intention of the impact in an InSpec control and CIS, we think that the intention of impactwould be best served with:
impact 0impact: .4 ( roughly a 'low' )impact: .7 ( roughly a 'high' )However, I think that in general we want to keep away from 1 and 0 cases as they should be reserved for special processing cases.
For example, in our work - when a control is 'Not Applicable' in a security control selection sense or a control is 'Inherited' ( the operational responsibility of some other group or system ) we "override" the base control with impact: 0 and change the description: to be the justification for the change.
For impact: 1 this would be a 'critical' control that is a hard stop for the system under evaluation.
atomic111
commented
6 years ago @aaronlippold thanks for the input. but the score should be level 1 == impact 1, because those are the basics and level 2 is a nice add on.
thinking out loud ðŸ’
We should look at making them go into at least 2 or 3 buckets? .3 .5 .9 would make sense to me but if they are all 0.0 and 1.0 then it doesn't really tell me anything right?
Further, in the operational setting, the data point 0 and 1 are usually reserved for the extreme cases - i.e. Not Important / Ignore and "Totally Critical - remove the system from the network". If this isn't the case again - those values start to loose any meaning and will be ignored.