In June 2017, the National Institute of Standards and Technology (NIST) released the NIST Interagency Report (NISTIR) 8011 overview of the “Automation Support for Security Assessments”.
Organizations looking to move from reactive IT security to a more mature refined approach may consider putting in the effort necessary to automate assessment. By assessing information security controls more frequently, a near real-time view of the environment and the understanding of the overall security posture gives management the right information at the right time to make more informed decisions. The purpose of the NISTIR documents provide an approach for automating the assessment of security controls in systems and organizations.
NIST intends to release 13 volumes, logically grouped, to help facilitate automating the assessment of these controls.
- Volume 1 Overview
- Volume 2 Hardware Asset Management
- Volume 3 Software Asset Management
- Volume 4 Configuration Settings Management
- Volume 5 Vulnerability Management
- Volume 6 Boundary Management (Physical, Filters, and Other Boundaries)
- Volume 7 Trust Management
- Volume 8 Security-Related Behavior Management
- Volume 9 Credentials and Authentication Management
- Volume 10 Privilege and Account Management
- Volume 11 Event (Incident and Contingency) Preparation Management
- Volume 12 Anomalous Event Detection Management
- Volume 13 Anomalous Event Response and Recovery Management
To begin the process of automation, one key area for automating security control assessments, and nearly all automation, is that the data must be machine readable. The inputs to any automation must be in a format where computers can input, process, and output the data without human interaction. Examples of machine readable could be network scans to identify serial numbers for hardware and software assets; password policies for configuration settings; or the list of patches applied to servers for vulnerability management.
The first two NIST guides, 93 pages and 155 pages respectively can be an invaluable source for advancing your organizations security posture. The PDF volumes can be found on the NIST website at http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-8011
