Hi Guys,
Has anyone come across of using OSCAL security controls on IriusRisk or have experience? I would love to get some insights on that.
Thanks
Userlevel 6
Hello
Userlevel 2
OSCAL seems designed as a control catalogue, and it’s great that there is finally a standard format for defining controls!
From the point of view of threat modeling, what it lacks is the “why” behind each control, i.e. the threat or risk that it’s mitigating. So on it’s own, you could certainly use it to manage a library of controls, but if you wanted to use it for threat modeling and as a threat catalog then you’d need a mapping between controls and threats. If you had that mapping, then you could use this as a threat-control catalog to help speed up or standardise threat model output.
Hi
thank you for the response, and I agree if there is a threat to control mapping in place, then the value would help speed up the assessment.
Is it possible to import the mapping on the IriusRisk tool itself?
Thanks
Maybe I’m wrong but the Open Threat Model specification (OTM) might be better for this rather than OSCAL, since it already provides that threat-control mapping. Since both can be independent you could have the OSCAL control defined in a catalog and the OTM threat model where the mitigations are like:
mitigations:
- name: My mitigation 1
id: fd6136f4-e2ff-11eb-ba80-0242ac130004
description: My description
riskReduction: 50
attributes:
oscal-catalog: b954d3b7-d2c7-453b-8eb2-459e8d3b8462
oscal-group-id: ac
oscal-control-id: ac-1What would be the best attributes to include is unknown to me.
Reply
Log in
Create your account
Not a member yet? Become a member to join forum discussions, participate in community events and apply to write articles.
Create an accountLog in with LinkedIn
or
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.