[prev in list] [next in list] [prev in thread] [next in thread]
List: scap-security-guide
Subject: NIST's HIPAA Security Rule Toolkit
From: Shawn Wells <shawn () redhat ! com>
Date: 2016-01-04 18:08:13
Message-ID: 568AB50D.2040703 () redhat ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
A colleague tipped me off to NIST's "HIPAA Security Rule Toolkit."
Quickly playing with their tool, it's a java-based GUI that embeds OCIL
checklists for HIPAA compliance.
http://scap.nist.gov/hipaa/
For example, a screen shot:
We've played with creating OCIL content for SSG in the past, at least
for select profiles like STIG/USGCB. Would inclusion of OCIL be
particularly useful to anyone?
Trying to think through this could actually be used...
- Perhaps STIG profile could extend a "STIG-OCIL" which reflects DISA
FSO organizational controls.
- Need some way to provide an "answers file," so that every scan does
not get asked 100+ questions
- If using downstream tooling (e.g. Satellite or ACAS?), scan a group of
systems ("ApplicationX in EnvironmentY") which provides "Application
Level" OCIL results, while endpoints are scanned against STIG
configuration baseline?
- Something else?
--
Shawn Wells
Office of the Chief Technologist
U.S. Public Sector
shawn@redhat.com | 443.534.0130
[Attachment #5 (multipart/related)]
[Attachment #7 (text/html)]
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
A colleague tipped me off to NIST's "HIPAA Security Rule Toolkit."
Quickly playing with their tool, it's a java-based GUI that embeds
OCIL checklists for HIPAA compliance. <br>
<br>
<a class="moz-txt-link-freetext" \
href="http://scap.nist.gov/hipaa/">http://scap.nist.gov/hipaa/</a><br> <br>
For example, a screen shot:<br>
<br>
<img src="cid:part1.01000800.06090902@redhat.com" alt=""><br>
<br>
We've played with creating OCIL content for SSG in the past, at
least for select profiles like STIG/USGCB. Would inclusion of OCIL
be particularly useful to anyone?<br>
<br>
Trying to think through this could actually be used...<br>
<br>
- Perhaps STIG profile could extend a "STIG-OCIL" which reflects
DISA FSO organizational controls. <br>
- Need some way to provide an "answers file," so that every scan
does not get asked 100+ questions <br>
- If using downstream tooling (e.g. Satellite or ACAS?), scan a
group of systems ("ApplicationX in EnvironmentY") which provides
"Application Level" OCIL results, while endpoints are scanned
against STIG configuration baseline?<br>
- Something else?<br>
<br>
<pre class="moz-signature" cols="72">--
Shawn Wells
Office of the Chief Technologist
U.S. Public Sector
<a class="moz-txt-link-abbreviated" \
href="mailto:shawn@redhat.com">shawn@redhat.com</a> | 443.534.0130</pre> </body>
</html>
["dgibhgda.png" (image/png)]
--
SCAP Security Guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorahosted.org
https://github.com/OpenSCAP/scap-security-guide/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic