The corresponding economic model, proposed by Lawrence A. Gordon and Martin P. Loeb in 2002, implies that:
Optimal information security policy should incorporate both possible approaches:
Though security vulnerabilities are difficult or even impossible to predict, many of them require multiple conditions to be met at once in order to be successfully exploited:
All three of the provided conditions can be avoided using the same strategy — through application and enforcement of a security policy which fulfills the following criteria:
In order to minimize the threat of an attack on computer infrastructure, or even completely prevent it, many institutions from both the private and public sector have adopted the concept of enforcing a security policy or a security benchmark. These policies define security requirements which all systems used by the institution must meet. It applies not only to systems physically located within the organizations, but often to any third party environments have access to the organizations’ computer infrastructures. In some cases, these policies are defined by government regulations, but many businesses adopt their own security policies even if they are not specifically required to do so by law.
The specific requirements for security policy differ depending on the area of activity of a particular organization. For example, a solely private sector based cloud solutions provider will have different security norms, and will be required to fulfill different information security requirements by law, than a United States federal agency.
Despite the variety of the possible requirements, there are many common steps and procedures that any institution or business wishing to protect itself should perform. These include, but are not limited to:
Determine the specific security baseline which the underlying computer infrastructure needs to be compliant with
Obtain a security checklist for the requirement(s) in a format suitable for machine processing
Quickly identify the current state of the computer infrastructure against the requirement(s)
React promptly — perform corrective operations for requirements the system(s) in question did not meet the requirements at a specific point in time
Prefer an automated approach — perform compliance analysis and corrective operations (remedial actions) in a machine-controlled, unattended way on a regular basis, regardless of the infrastructure’s complexity
Utilize proper software tools to carry out these tasks with minimal effort, and at the same time attempt to reduce any required outage periods related to these tasks to a minimum.
In many countries, information security is recognized as having an important role in the effort to protect economic growth and security interests. With cyberspace being vulnerable to a wide range of attacks, many countries have adopted an approach where strengthening the security and resilience of computer infrastructure must be performed at any level, be it public or private sector. Many government agencies are mandated by law to establish and manage their computer infrastructure in a specific way to protect sensitive information and prevent attacks. In the private sector, businesses handling credit cards from major card schemes are obligated to follow the Payment Card Industry Data Security Standard (PCI DSS) in order to ensure controls around cardholder data to reduce credit card fraud via its exposure.
Depending on its area of business, there may be numerous standards a particular organization must meet simultaneously in order to be compliant with all applicable laws and contractual obligations. This makes software tools like the OpenSCAP family, which can perform compliance assessments and corrective operations in an automated and continuous fashion, the perfect candidates for any organization trying to find a way to establish a proper and sustainable security compliance management policy.
In order to be able to perform security compliance analysis of a computer infrastructure in an automated way, the corresponding security benchmark (the compliance requirements) need to be expressed in a specific, unambiguous format. Many security benchmarks provided by various security compliance authorities are supplied in the form of plaintext files. While this form is universal enough to be applicable to any computer infrastructure regardless of the underlying operating system, it is not appropriate for direct application. Therefore, a substantial effort is currently being invested into conversion of these security guidance baselines and associated validation mechanisms into the form of various specifications as defined by the Security Content Automation Protocol (SCAP). The SCAP Security Guide project provides these baselines as practical security guidance, and also links them to compliance requirements in order to ease deployment activities such as certification and accreditation. This way it is possible to overcome the gap between generalized policy requirements (as produced by official compliance authorities) and specific implementation guidance (in SCAP format) applicable to a specific computer environment or software product.
The examples below demonstrate how various tools from the OpenSCAP family can be used to assist you in establishing and maintaining a sustainable security compliance process. See the Tools page for a more detailed description of each tool and additional examples.
Performing security compliance analysis of a freshly installed Red Hat Enterprise Linux 6.7 system using the United States Government Configuration Baseline (USGCB) profile from the security benchmark for Red Hat Enterprise Linux 6 Server system, provided by the scap-security-guide RPM package:
Performing both security compliance analysis and corrective operations (remedial action) against the United States Government Configuration Baseline (USGCB) profile from security benchmark for Red Hat Enterprise Linux 6 Server provided by the scap-security-guide RPM package using the oscap command line tool:
# oscap xccdf eval −−remediate −−profile usgcb-rhel6-server \ −−results /tmp/usgcb-rhel6-server-results.xml \ −−report /tmp/usgcb-rhel6-server-report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml