cross-posted from: https://infosec.pub/post/6671372
I’m not a vendor, I’m just curious what experience people have with implementing security control frameworks?
DOD uses DISA STIGs. Else uses CIS benchmarks, or self developed based of NIST CSF?
To what degree is your organization using any of these?
Are they enforced? Monitored?
Using any vendor solutions that don’t suck?
Does anyone care except you (hopefully 😉)
They are made (I think) to be implementable - even, to give implementors some flexibility. Then everybody goes and buys a tool to do it, and not that well. I thought 15 years ago that security configuration was a (voluminous) subset of system configuration and system administration, ripe for automation and rigorous documentation - not something to pay a different vendor for. But the market says otherwise. When you can split some work across a whole team, or even into a separate company, instead of glomming it into one job, that’s worth money to businesspeople.
Agreed. There is SCAP, but it only covers some, and it’s STIG/federal based.