Overseeing Compliance of Security Operations ◾ 173
© 2011 by Taylor & Francis Group, LLC
Security Management Standards
Many times people are in violent agreement because they are saying the same thing
in dierent words and do not understand each other. One method of overcoming
this is to introduce a common language. Speaking of security concepts and charac-
teristics can get quite confusing and frustrating when debates start over the deni-
tion of risk or the exact nuance of vulnerability. ere is emerging work by NIST
that provides standards for articulating security concepts and characteristics. is
work includes Common Vulnerabilities and Exposures (CVE) for common identi-
cation of vulnerabilities, Common Conguration Enumeration (CCE) to dene
secure congurations, Common Platform Enumeration (CPE) for a structured
information technology naming scheme, Common Vulnerability Scoring Systems
(CVSSs) for scoring all CVE vulnerabilities, eXtensible Conguration Checklist
Description Format (XCCDF) for specifying a language to write security check-
lists, and Open Vulnerability Assessment Language (OVAL) to provide an industry
standard for security content across all security tools.
e National Vulnerability Database (NVD) “is the U.S. government repository
of standards based vulnerability management data represented using the Security
Content Automation Protocol (SCAP). is data enables automation of vulnerabil-
ity management, security measurement, and compliance” (http://nvd.nist.gov/, last
accessed March 2009). e SCAP project within NVD has more details on CVE,
CCE, CPE, CVSS, XCCDF, and OVAL.
Awareness of such standards will help you decide what aspects of security moni-
toring, analysis, and reporting may take place automatically versus manually. e
ability to elicit conguration details from information technology may provide a
real-time feed into a view of the enterprise security posture and the enterprise risk
posture, and the details may support many audit eorts.
Security Procedures
Security procedures are a specied sequence of actions to achieve a desired end of
eective and ecient management of business risk. Security procedures describe a
disciplined, repeatable manner in which to use the security standards to implement
and enforce security policy. Some security procedures are explicitly for information
technology professionals and security professionals. Other security procedures are
for other enterprise personnel. Security procedures may include the following:
◾ Installing new PCs using the standard desktop image that includes operating
system congurations and applications explicitly for security purposes
◾ Discarding old PCs, hard drives, and other media
◾ Backups; type and frequency