cybersecurity

3231 readers

1 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 1 year ago

MODERATORS

shellsharks@infosec.pub

tweedge@infosec.pub

Security Control Frameworks (infosec.pub)

submitted 10 months ago by MSgtRedFox@infosec.pub to c/cybersecurity@infosec.pub

2 comments fedilink hide all child comments

cross-posted from: https://infosec.pub/post/6671372

I'm not a vendor, I'm just curious what experience people have with implementing security control frameworks?

DOD uses DISA STIGs. Else uses CIS benchmarks, or self developed based of NIST CSF?

To what degree is your organization using any of these?

Are they enforced? Monitored?

Using any vendor solutions that don't suck?

Does anyone care except you (hopefully 😉)

top 2 comments

sorted by: hot top controversial new old

[–] jaredj@infosec.pub 1 points 9 months ago (1 children)

They are made (I think) to be implementable - even, to give implementors some flexibility. Then everybody goes and buys a tool to do it, and not that well. I thought 15 years ago that security configuration was a (voluminous) subset of system configuration and system administration, ripe for automation and rigorous documentation - not something to pay a different vendor for. But the market says otherwise. When you can split some work across a whole team, or even into a separate company, instead of glomming it into one job, that's worth money to businesspeople.

[–] MSgtRedFox@infosec.pub 2 points 9 months ago

Agreed. There is SCAP, but it only covers some, and it's STIG/federal based.