CONFIRMED: Remediation Standards telecon, Dec 1 (this Wednesday)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CONFIRMED: Remediation Standards telecon, Dec 1 (this Wednesday)

Matthew N. Wojcik

All,

Thanks to the many positive responses, we will have a remediation
standards teleconference as proposed, this Wednesday, December 1st,
from 1:00-4:00 PM EST (UTC -0500).  Apologies to the few who responded
that they had conflicts.  Minutes of the call will be made available.

Call information:

Meeting ID: 147852

+1 781-271-6338 (Bedford, MA region) or
+1 703-983-6338 (Washington DC region, Nationally or Internationally)

If you have any problems joining the teleconference, please email
<[hidden email]> and <[hidden email]>, rather than the list.

Here's some more detail on the agenda items mentioned in the original
call proposal:

CRE & ERI:

 - Platform associations.  Some CREs may address concerns on one
   target platform (e.g., Windows 7) but be implemented on another
   (e.g., Windows Server 2008 R2).  Which platform(s) should be
   associated with such CREs?

 - Reboot/restart information.  Some CREs require a system reboot to
   be effective.  For some, that reboot can be delayed for a time
   without causing problems; others may leave the machine unstable
   without an immediate restart.  Some may inherently cause a system
   reboot, or do so by default.  Others may need a particular service
   or process to be stopped or restarted.  Some CREs may need
   single-user or safe mode to enact.  What should we track in
   CRE/ERI?

 - ID integrity.  "Fat-fingering" a CVE or CCE ID can cause problems.
   Mistakes in CRE IDs could be much more serious.  Should CRE IDs
   include a check digit or some other means to try to catch ID usage
   mistakes?

Remediation Policy:

 - Introduction to Remediation Policy and its place in the workflow.

 - Specifying CRE parameters in Remediation Policy: requirements and
   formatting.

 - Asset types or indicators.  What criteria should be allowed to
   describe the types of assets CREs apply to?  CPE, CVE, CCE,
   organizational unit, system function, network location, others?

 - CRE preference.  Should policy indicate required CREs?  Preferred,
   allowed, disallowed?  Preference order?  Do exception handling use
   cases (documentation required if standard policy is not followed)
   imply requirements for CRE preference in Remediation Policy?

--Woj                  Matthew N. Wojcik                 [hidden email]
781 271-8056 office                                           CCE Team
617 872-6247 mobile                        Remediation Standardization

TO UNSUBSCRIBE FROM THE EMERGING-SPECS LIST, SEE:
http://scap.nist.gov/community.html



---------------------------------------------------------------

To unsubscribe from this mailing list, please send an e-mail to
[hidden email] with the words "unsubscribe xccdf-dev" in the
body. You will need to send this from the email account that you
used to initially subscribe to xccdf-dev.