Policy, Standards, Regulations & Compliance
Re: Compliance Product Recomendation Jul 27 2007 02:47PM
doug simpson bz (1 replies)
RE: Compliance Product Recomendation Jul 27 2007 04:45PM
Mark Curphey (mark curphey com) (1 replies)
RE: Compliance Product Recomendation Jul 27 2007 05:36PM
ljknews (ljknews mac com)
At 6:45 PM +0200 7/27/07, Mark Curphey wrote:

> Which parts of a standards or regulation (or maybe rephrased what percentage)
> do you think automated tools analyze?

It seems to me that any metrics scheme used to answer this question will
be deceptive. If one were to take a hypothetical statement "No object
shall be accessible to users whose job does not require it" that is about
as small a percentage of its containing standard as possible. But the
amount of work to evaluate that manually is astronomical.

For a slightly more complex statement like "No privileged user shall
use that privilege to violate the principle of separation of duties",
the chances that a user doing the job manually would thoroughly analyze
the audit logs of the past year or even the past month approach zero.

The other sections of standards, dealing with issues not susceptible to
automation, tend to be much more wordy, further skewing metrics based
on text lines in the standard.

Certainly the automated tests will finish "first", accomplished through
efficient use of computer cycles (once you get a tool that works). The
report may be printed before the human-only assessment really gets started.
Of course the humans did a lot up front to configure the automated tool.
And other humans did work to construct the tool.


By "tool" I mean something that actually Examines (800-53A terminology)
the configuration of the computer, rather than something that is just a
more specialized form of a spreadsheet to prompt the human through their

Some assessment tasks can only reasonably be done by tools, some can
only reasonably be done by humans. I have a hard time thinking of
any that could just as readily be done either by a tool or by a human.
Larry Kilgallen

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus