'NIST's HIPAA Security Rule Toolkit'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       scap-security-guide
Subject:    NIST's HIPAA Security Rule Toolkit
From:       Shawn Wells <shawn () redhat ! com>
Date:       2016-01-04 18:08:13
Message-ID: 568AB50D.2040703 () redhat ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


A colleague tipped me off to NIST's "HIPAA Security Rule Toolkit." 
Quickly playing with their tool, it's a java-based GUI that embeds OCIL 
checklists for HIPAA compliance.

http://scap.nist.gov/hipaa/

For example, a screen shot:



We've played with creating OCIL content for SSG in the past, at least 
for select profiles like STIG/USGCB. Would inclusion of OCIL be 
particularly useful to anyone?

Trying to think through this could actually be used...

- Perhaps STIG profile could extend a "STIG-OCIL" which reflects DISA 
FSO organizational controls.
- Need some way to provide an "answers file," so that every scan does 
not get asked 100+ questions
- If using downstream tooling (e.g. Satellite or ACAS?), scan a group of 
systems ("ApplicationX in EnvironmentY") which provides "Application 
Level" OCIL results, while endpoints are scanned against STIG 
configuration baseline?
- Something else?

-- 
Shawn Wells
Office of the Chief Technologist
U.S. Public Sector
shawn@redhat.com | 443.534.0130


[Attachment #5 (multipart/related)]

[Attachment #7 (text/html)]

<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    A colleague tipped me off to NIST's "HIPAA Security Rule Toolkit."
    Quickly playing with their tool, it's a java-based GUI that embeds
    OCIL checklists for HIPAA compliance. <br>
    <br>
    <a class="moz-txt-link-freetext" \
href="http://scap.nist.gov/hipaa/">http://scap.nist.gov/hipaa/</a><br>  <br>
    For example, a screen shot:<br>
    <br>
    <img src="cid:part1.01000800.06090902@redhat.com" alt=""><br>
    <br>
    We've played with creating OCIL content for SSG in the past, at
    least for select profiles like STIG/USGCB. Would inclusion of OCIL
    be particularly useful to anyone?<br>
    <br>
    Trying to think through this could actually be used...<br>
    <br>
    - Perhaps STIG profile could extend a "STIG-OCIL" which reflects
    DISA FSO organizational controls. <br>
    - Need some way to provide an "answers file," so that every scan
    does not get asked 100+ questions <br>
    - If using downstream tooling (e.g. Satellite or ACAS?), scan a
    group of systems ("ApplicationX in EnvironmentY") which provides
    "Application Level" OCIL results, while endpoints are scanned
    against STIG configuration baseline?<br>
    - Something else?<br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Shawn Wells
Office of the Chief Technologist
U.S. Public Sector
<a class="moz-txt-link-abbreviated" \
href="mailto:shawn@redhat.com">shawn@redhat.com</a> | 443.534.0130</pre>  </body>
</html>


["dgibhgda.png" (image/png)]

--
SCAP Security Guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorahosted.org
https://github.com/OpenSCAP/scap-security-guide/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic