open security controls
play

Open Security Controls Assessment Language (OSCAL) Lunch with the - PowerPoint PPT Presentation

Feb 15, 2023 •276 likes •427 views

Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David Waltermire National Institute of Standards and Technology Teleconference Overview 2 Ground Rules OSCAL Status Summary (5 minutes) Issues

  1. Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David Waltermire National Institute of Standards and Technology

  2. Teleconference Overview 2  Ground Rules  OSCAL Status Summary (5 minutes)  Issues Needing Help from the Community  Question and Answer / Discussion  Submitted questions will be discussed  The floor will be open for new questions and live discussion

  3. OSCAL Lunch with the Developers 3 Purpose:  Facilitate an open, ongoing dialog with the OSCAL developer and user communities to promote increased use of the OSCAL models Goals:  Provide up-to-date status of the OSCAL project development activities  Answer questions about implementing and using the OSCAL models, and around development of OSCAL model-based content  Review development priorities and adjust priorities based on community input  Help the OSCAL community identify development needs

  4. Ground Rules 4  Keep the discussion respectful  Using welcoming and inclusive language  Being respectful of differing viewpoints and experiences  Gracefully accepting constructive criticism  Focusing on what is best for the community  Wait for one speaker to finish before speaking - one speaker at a time  Speak from your own experience instead of generalizing ("I" instead of "they," "we," and "you").  Do not be afraid to respectfully challenge one another by asking questions -- focus on ideas.  The goal is not to always to agree -- it is to gain a deeper understanding.

  5. OSCAL Version 1 Milestones 5 Milestone Focus Sprints Status Date Milestone 1 Catalog and Profile Models 1 to 21 Completed 6/15/2019 Milestone 2 System Security Plan (SSP) Model 6 to 23 Completed 10/1/2019 Milestone 3 Component Definition Model 6 to ~28 In Progress ~May 2020 Full Release Development of a web-based 24 to ~33 In Progress August 2020 specification Ongoing Minor and bugfix releases as Additional Planned Ongoing Maintenance needed Sprints Current Sprint: 28 (https://github.com/usnistgov/OSCAL/projects/27)

  6. Review of Current/Completed Work 6 On Github: https://github.com/usnistgov/OSCAL

  7. Other Development Efforts: 7 Java Code Generation A tool that generates Java classes and  Metaschema serializers/deserializers based on a Metaschema definitions Generated code can read/write valid  XML, JSON, and YAML content based on Code Generator Metaschema generated XML and JSON schema Reading and writing XML, JSON and  YAML now working Generated Java Classes Working on a Maven plugin to auto  generate code Will be used to create an OSCAL Java  library https://github.com/david-waltermire- nist/metaschema/tree/java- metaschema/toolchains/java XML JSON YAML

  8. Other Development Efforts 8 Developing XSL templates that generate:  SP 800-53 style control listing in HTML and PDF  An SSP based on a SP 800-18 template in HTML and PDF Developing OSCAL Command Line Tools  Validation and conversion of OSCAL content  Comparison of OSCAL content (e.g., SP 800-53 rev4 vs rev5)

  9. Help Needed 9 Please review pull requests and comment on issues you are interested in.

  10. Discussion 10 Goals:  Establish a robust, engaged OSCAL development community. Enable the community to assist other community members.  Promote adoption of the OSCAL data formats in GRC and assessment tooling. What barriers can we break down to promote these goals? Are there other things we should be focusing on?

  11. Open Floor 11 What would you like to discuss? What questions do you have?

  12. Thank you 12 OSCAL Repository: https://github.com/usnistgov/OSCAL Next Lunch with Devs: Project Website: April 9, 2020 https://www.nist.gov/oscal 12:00 Noon EST (5:00 PM UTC) How to Contribute: https://pages.nist.gov/OSCAL/contribute/ Contact Us: oscal@nist.gov

  13. Backup Slides 13

  14. OSCAL Layers & Models 14 OSCAL is architected in layers  The lowest layer is foundational  Each higher layer builds on Assessment Planned Results layer(s) below it Layer Building up from foundation Assessment Planned  OSCAL development is following Layer this bottom up approach System Security Plan Model Implementation Allows lower layers to be used,  Layer while higher layers are Component Model developed Lower layers can be enhanced Profile  Profile Model Layer based on high-layer information needs Catalog Ensures that data provided in Catalog Model  Layer lower layers can be used to meet the information needs in higher layers

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IT Security Controls By: Jay Chen What are IT Security Controls? Safeguards or

IT Security Controls By: Jay Chen What are IT Security Controls? Safeguards or

IT Security Controls By: Jay Chen What are IT Security Controls? Safeguards or countermeasures to avoid, detect, counteract, or minimize security risk Types of Controls Preventive Controls (E.g. Password lockout after 5 failed

483 views • 31 slides
IT Security Controls Spring 2020 By: Jay Chen What are Security Controls? A safeguard or

IT Security Controls Spring 2020 By: Jay Chen What are Security Controls? A safeguard or

IT Security Controls Spring 2020 By: Jay Chen What are Security Controls? A safeguard or countermeasure for an information system or an organization designed to protect confidentiality, integrity, and availability of its information and to

605 views • 34 slides
Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David

Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David

Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David Waltermire National Institute of Standards and Technology Teleconference Overview 2 Ground Rules OSCAL Status Summary (5 minutes) Issues

298 views • 10 slides
Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David

Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David

Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David Waltermire National Institute of Standards and Technology Teleconference Overview 2 Ground Rules OSCAL Status Summary (5 minutes) Review

118 views • 9 slides
Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David

Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David

Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David Waltermire National Institute of Standards and Technology Teleconference Overview 2 Ground Rules OSCAL Status Summary (5 minutes) Issues

434 views • 16 slides
Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David

Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David

Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David Waltermire National Institute of Standards and Technology Teleconference Overview 2 Ground Rules OSCAL Status Summary (5 minutes) Issues

404 views • 11 slides
Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing

Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing

Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing gives rest but the sincere search for truth. -Pascal Greetz from Room 101 Kenneth Geers 1984 # Nineteen Eighty-Four (Orwell) # Govt IW vs own

1.03k views • 77 slides
Injecting Security Controls into Software Applications Katy Anton Principal Application Security

Injecting Security Controls into Software Applications Katy Anton Principal Application Security

Injecting Security Controls into Software Applications Katy Anton Principal Application Security Consultant About me Katy Anton Software development background Project co-leader for OWASP Top 10 Proactive Controls (@OWASPControls)

599 views • 37 slides
Security Controls for Industrial Control Systems EEI/AGA Security Committee Fall Meetings

Security Controls for Industrial Control Systems EEI/AGA Security Committee Fall Meetings

Security Controls for Industrial Control Systems EEI/AGA Security Committee Fall Meetings September 13, 2006 Boston, MA Stuart Katzke and Keith Stouffer, National Institute of Standards & Technology, Gaithersburg, MD Marshall Abrams, The

460 views • 23 slides
Cyber Security and Export Controls: You Need to Know More Than You Already Do AnnaLisa

Cyber Security and Export Controls: You Need to Know More Than You Already Do AnnaLisa

Cyber Security and Export Controls: You Need to Know More Than You Already Do AnnaLisa Nash Export Control Officer, NDSU Why Should You Care About Export Controls? so you can avoid HERE. When Should You Care? NOW. U.S. export

758 views • 65 slides
Overview Database Security Semantic Integrity Controls Access Control Rules Multilevel

Overview Database Security Semantic Integrity Controls Access Control Rules Multilevel

Overview Database Security Semantic Integrity Controls Access Control Rules Multilevel Secure Databases RBAC in Commercial DBMS Statistical Database Security Simone Fischer-Hbner Applied Security, DAVC17 Relational Database

194 views • 6 slides
Measuring the Performance and Effectiveness of Critical security controls William Makatiani

Measuring the Performance and Effectiveness of Critical security controls William Makatiani

Measuring the Performance and Effectiveness of Critical security controls William Makatiani Name Here About Serianu Limited Serianu is a Pan Africa based Cyber Security and business consulting firm. We are an award winning company in the

759 views • 46 slides
Todays Keys What are IT Controls Basic IT Controls Where to Find Resources What are IT

Todays Keys What are IT Controls Basic IT Controls Where to Find Resources What are IT

Todays Keys What are IT Controls Basic IT Controls Where to Find Resources What are IT Controls Objectives of IT Controls are Interrelated Prevent & Detect Fraud Automate Ensure controls Prevent integrity & accidental

308 views • 16 slides
This audit looked at whether the fraud and corruptjon controls over personnel security are

This audit looked at whether the fraud and corruptjon controls over personnel security are

This audit looked at whether the fraud and corruptjon controls over personnel security are well-designed and operatjng as intended. We examined recruitment practjces for employees, contractors and consultants in the Victorian Public Service, or

255 views • 3 slides
ASCEM Conference Lighting Controls Roundtable Discussion Why do we want lighting controls?

ASCEM Conference Lighting Controls Roundtable Discussion Why do we want lighting controls?

ASCEM Conference Lighting Controls Roundtable Discussion Why do we want lighting controls? Behavior Modification versus lighting controls Implementation and outcomes Typical Controls Keyed Switches Dual switching

973 views • 15 slides
Simulation-based optimization of information security controls: An adversary-centric approach

Simulation-based optimization of information security controls: An adversary-centric approach

Simulation-based optimization of information security controls: An adversary-centric approach Elmar Kiesling, Andreas Ekelhart, Bernhard Grill, Christine Strau, Christian Stummer December 9, 2013; Washington, DC Funded by the Austrian

1.01k views • 88 slides
Apache Buildr in Action A short intro BED 2012 Dr. Halil-Cem Grsoy, adesso AG 29.03.12 About

Apache Buildr in Action A short intro BED 2012 Dr. Halil-Cem Grsoy, adesso AG 29.03.12 About

Apache Buildr in Action A short intro BED 2012 Dr. Halil-Cem Grsoy, adesso AG 29.03.12 About me Round about 12 Years in the IT, Development and Consulting Before that development in research (RNA secondary structures) Software

669 views • 29 slides
Hacking Maven how to add steroids on Maven di Massimiliano Dess InseHacking Maven Abstract

Hacking Maven how to add steroids on Maven di Massimiliano Dess InseHacking Maven Abstract

Hacking Maven how to add steroids on Maven di Massimiliano Dess InseHacking Maven Abstract 30 minutes to illustrate from 30000 ft the ideas applied to turn Maven from a static producer to a rich compiler enabled to reads objects

354 views • 22 slides
Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment

Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment

Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment pain The vision The Octomizer: TVM for everyone 2 Simple, secure, and efficient Drive TVM adoption Expand the set of users who can deployment of

370 views • 14 slides
Advanced Programming Lab 4 Collections and Streams A Collection is a group of individual

Advanced Programming Lab 4 Collections and Streams A Collection is a group of individual

Advanced Programming Lab 4 Collections and Streams A Collection is a group of individual objects (elements) represented as a single unit. A Stream is a sequence of elements supporting sequential and parallel aggregate operations.

266 views • 10 slides
Quicksort algorithm Average case analysis After today, you should be able to implement

Quicksort algorithm Average case analysis After today, you should be able to implement

Quicksort algorithm Average case analysis After today, you should be able to implement quicksort derive the average case runtime of quick sort and similar algorithms

469 views • 17 slides
Teaming Up for Software Development Lus Soares Departamento de Informtica Universidade do

Teaming Up for Software Development Lus Soares Departamento de Informtica Universidade do

Teaming Up for Software Development Lus Soares Departamento de Informtica Universidade do Minho Engenharia de Aplicaes Lus Soares Teaming Up for Software Development Introduction Agenda In the end of the session the attendee

416 views • 28 slides
iRODS@RENCI LeesaBrieger,JasonCoposky,

iRODS@RENCI LeesaBrieger,JasonCoposky,

iRODS@RENCI LeesaBrieger,JasonCoposky, VijayDantuluri,KevinGamiel,RayIdaszak, OlegKapeljushnik,NassibNassar,JasonReilly, MichaelStealey,LisaStillwell iRODSUserMee,ng

298 views • 29 slides
Presentation of Open Simulation Architecture and Open Simulation Instrumentation Framework

Presentation of Open Simulation Architecture and Open Simulation Instrumentation Framework

Presentation of Open Simulation Architecture and Open Simulation Instrumentation Framework Judicael RIBAULT 1 judicael.ribault@sophia.inria.fr 1- MASCOTTE, INRIA, I3S, CNRS, Univ. Nice Sophia, Sophia Antipolis, France COMRED, March 1, 2010 J.

572 views • 30 slides

More recommend