Security Control Frameworks
from MSgtRedFox@infosec.pub to cybersecurity@infosec.pub on 09 Jan 2024 02:19
https://infosec.pub/post/6945268

cross-posted from: infosec.pub/post/6671372

I’m not a vendor, I’m just curious what experience people have with implementing security control frameworks?

DOD uses DISA STIGs. Else uses CIS benchmarks, or self developed based of NIST CSF?

To what degree is your organization using any of these?

Are they enforced? Monitored?

Using any vendor solutions that don’t suck?

Does anyone care except you (hopefully 😉)

#cybersecurity

jaredj@infosec.pub on 19 Jan 2024 02:52 collapse

They are made (I think) to be implementable - even, to give implementors some flexibility. Then everybody goes and buys a tool to do it, and not that well. I thought 15 years ago that security configuration was a (voluminous) subset of system configuration and system administration, ripe for automation and rigorous documentation - not something to pay a different vendor for. But the market says otherwise. When you can split some work across a whole team, or even into a separate company, instead of glomming it into one job, that’s worth money to businesspeople.

MSgtRedFox@infosec.pub on 19 Jan 2024 10:48 collapse

Agreed. There is SCAP, but it only covers some, and it’s STIG/federal based.