this post was submitted on 09 Jan 2024
4 points (83.3% liked)

cybersecurity

3249 readers
1 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 1 year ago
MODERATORS
 

cross-posted from: https://infosec.pub/post/6671372

I'm not a vendor, I'm just curious what experience people have with implementing security control frameworks?

DOD uses DISA STIGs. Else uses CIS benchmarks, or self developed based of NIST CSF?

To what degree is your organization using any of these?

Are they enforced? Monitored?

Using any vendor solutions that don't suck?

Does anyone care except you (hopefully ๐Ÿ˜‰)

you are viewing a single comment's thread
view the rest of the comments
[โ€“] jaredj@infosec.pub 1 points 10 months ago (1 children)

They are made (I think) to be implementable - even, to give implementors some flexibility. Then everybody goes and buys a tool to do it, and not that well. I thought 15 years ago that security configuration was a (voluminous) subset of system configuration and system administration, ripe for automation and rigorous documentation - not something to pay a different vendor for. But the market says otherwise. When you can split some work across a whole team, or even into a separate company, instead of glomming it into one job, that's worth money to businesspeople.

[โ€“] MSgtRedFox@infosec.pub 2 points 10 months ago

Agreed. There is SCAP, but it only covers some, and it's STIG/federal based.