Introduction to OVAL to SACM Info Model Paper

Slides:



Advertisements
Similar presentations
FEMA’s Guidelines and Standards Strategy ASFPM Conference May 23, 2012.
Advertisements

Document Number Here © 2006 The MITRE Corporation. All rights reserved. Holds and Diversions June 22, 2004.
Query Health Business Working Group Kick-Off September 8, 2011.
Northcentral University The Graduate School February 2014
Copyright © 2004 by The Web Services Interoperability Organization (WS-I). All Rights Reserved 1 Interoperability: Ensuring the Success of Web Services.
OpenSG Conformity IPRM Overview July 20, ITCA goals under the IPRM at a high level and in outline form these include: Organize the Test and Certification.
Terminology and Use Cases Status Report David Harrington IETF 88 – Nov Security Automation and Continuous Monitoring WG.
Security Automation May 26th, Security Automation: the challenge “Tower of Babel” – Too much proprietary, incompatible information – Costly – Error.
1 EARLY SAFETY MANAGEMENT OF PROJECTS AND EXPERIMENTS HSE UNIT PH DSO EDMS No
Regular process for global reporting and assessment of the state of the marine environment, including socio-economic aspects Guidance for Authors.
RTI, MUMBAI / CH 61 REPORTING PROCESS DAY 6 SESSION NO.1 (THEORY ) BASED ON CHAPTER 6 PERFORMANCE AUDITING GUIDELINES.
Beach Modelling: Lessons Learnt from Past Scheme Performance Project: SC110004/S Project Summary.
Module 6: Business Application Software Audit Chapter 1: Business Application Software Audit 1.
May 12, 2015 Dan Romascanu Adam Montville
Sample Fit-Gap Kick-off
SAMPLE Develop a Comprehensive Competency Framework
OVAL and the SACM Information Model
Project Integration Management
Evaluating Genetically Modified Organisms
ServiceNow Implementation Knowledge Management
GCE Applied ICT G053: Lesson 01 Introduction To The Unit
Pressurized Water Reactor Owners Group
2.2 | Use Planning Tools.
Description of Revision
draft-fitzgeraldmckay-sacm-endpointcompliance-00
Electrical Engineering
Directions for Expert Review Panel
Setting Actuarial Standards
IT Considerations for CPT Implementation
Status and Future Steps
Project Charter START IT! By Catherine B. Calio, PMP
Software Measurement Process ISO/IEC
A Proposed New Standard: Common Privacy Vulnerability Scoring System (CPVSS) Jonathan Fox, Privacy Office/PDIT Harold A. Toomey, PSG/ISecG Jason M. Fung,
Software Assurance Maturity Model
Vulnerability Management Team Information Security Office
IFX Forum Overview September 28, 2015 © Copyright IFX Forum, Inc
Parenting for non-violent childhoods
9th International Common Criteria Conference Report to IEEE P2600 WG
Effective Use of Rubrics to Assess Student Learning
Regulatory Cooperation Forum (RCF) - Plenary 2018
Service Oriented Architecture (SOA)
IT Considerations for CPT TEE Implementation
CVE.
Cyber security Policy development and implementation
Considerations on the Reference Plant Concept
EPAN - eGovernment EPAN Administrative Framework
Capacity Building for HMIS Leads
The Process for Final Approval: Remediation
GIFT High-Level Principles: Draft Expanded Version
Auxiliary Rubrics Module 6 Activity Overview
Pressurized Water Reactor Owners Group
Zach Wahl and Tatiana Baquero Project Performance Corporation (PPC)
Status report of TF-CS/OTA
Forum on Application Compatibility for Windows “Longhorn”
Hoop Magic Sports Academy Educational Technology Center
Management of product authorisations for in situ generated AS
HHS Reporting Requirements and Adverse Events
PHMSA Update for the API RP1162 Rewrite Team
Web-based Imaging Management System Working Group - WIMS
Presentation title Adaptation Committee and Least Developed Countries Expert Group Agenda item 5 (c-e) Draft recommendations developed by the Adaptation.
Introduce myself & around table
SOUTHERN CALIFORNIA EDISON POSSIBLE
Fiscal policy program Presented by Cindy Draper, Fiscal Policy Officer – Training Days 2018 Introduce myself This session is to provide an overview of.
WG standards for data access/exchange
Introduction to Fiscal Policy Program
QoS Metadata Status 106th OGC Technical Committee Orléans, France
Practice Standards, Program Guides, and CES Operations Manual
(Insert Title of Project Here) Kickoff Meeting
Henk Birkholz Jarret Lu Nancy Cam-Winget
OWASP Application Security Verification Standard
Presentation transcript:

Introduction to OVAL to SACM Info Model Paper Matt Hansbury Danny Haynes May 12, 2015

Open Vulnerability and Assessment Language OVAL is an XML-based language for encoding details about how to assess the state of endpoint. Founded in 2002 as a community-driven effort Operated by the MITRE Corporation on behalf of DHS OVAL is widely adopted Supported by 45 organizations, with 63 products and services, across 13 countries (lots of running code) Defined as the primary checking language for the Security Content Automation Protocol (SCAP) IPR Considerations MITRE holds trademark and copyright for OVAL, on behalf of the U.S. Department of Homeland Security (DHS) DHS and MITRE are currently working on resolving

Paper Overview Map existing OVAL Language structures into any appropriate components defined by the SACM Information Model (IM), make specific concrete recommendations for the Working Group, and provide relevant lessons learned Many SACM IM components are aligned with OVAL data models The paper maps each of the relevant components from the IM into the appropriate data model provided by OVAL Concrete recommendations, based on 10+ years of experience in endpoint assessment, are provided as a way forward Finally, the paper discusses a set of relevant lessons learned through the long running effort, along with takeaways for the SACM WG

Key Recommendations Use the OVAL System Characteristics Model for data collection Models operating system level constructs Some modifications and/or extensions will be needed, but, could serve as a starting point Use the OVAL Definitions Model for Evaluation and Collection Guidance Encodes both Collection and Evaluation Guidance in a single model Some effort will be required to de-couple the components, but, may serve as a starting point Do NOT use the OVAL Results Model for assessment results Never quite satisfied the community’s need for granularity or ease of use

Key Lessons Learned Simplicity is Key Ensure that the diversity of the information to be shared fits with the types of organizations that must share it De-couple Collection and Evaluation Empower Subject Matter Experts (SMEs) Primary source vendors and other SMEs know best Provide them the means to easily and effectively convey how to do so Carrots Work Better than Sticks Rely on solid business reasons that drive vendors to adopt rather than regulatory mandates

Next Steps Continue discussion on SACM mailing list Revise document based on feedback Consider implications of IPR and related issues Plan out schedule for contribution of actual OVAL data models

Resources OVAL Web Site OVAL and the SACM Information Model Security Content Automation Protocol (SCAP)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.