I-Assure Forums / Information Assurance / Security Testing

COTS Audit reduction tool/software

murphybe — Mon, 29 Mar 2010 16:10:00 GMT

Anyone out there using a COTS audit tool or software that assists with performing weekly system audits? I came from a place where they had build custom scripts to do this but I'm at place now where they just view them manually and I'm triying to find a better solution. Thanks

Assigning DIACAP Severity Codes and risk assessments

07caddy — Mon, 15 Feb 2010 21:36:02 GMT

Good evening,

In my current position, I routinely see 'risk assessment' reports that consist of no more than DISA Gold Disk findings assigned to an DoDD 8500.2 IA control. I've been assurred by the 'experts' who conducted an ST&E that the report does not contain false positives. When asked, "how do you know it doesn't contain false positives," I was promptly told "it doesn't!"

In my opinion, a report with nothing more than cut and paste from a DISA Gold report isn't all that useful and could contain false positives. Isn't some level of analysis is needed to ensure what makes your final report is an actual finding?

My question: How in the heck can you assess a severity code I to an IA control based on DISA Gold/STIG/checklist findings that may or may not be true? Essentially, where is the analysis????

If I were a Cert Authority (CA), I wouldn't make a recommendation to my DAA based data that hasn't been analyzed. It seems that some organizations rely solely on DISA gold/SRR/Checklist and if it's a STIG CAT I, by god, it's going to make the IA Control a CAT I. Grrrr ... very frustrating! I've seen several STIG PDIs that make reference to the wrong IA control.

Sorry to vent, but the IA business really sucks at times!

Retina Scan Settings

tcornelius — Mon, 14 Sep 2009 14:29:58 GMT

What are the best scan settings to use for Retina for DIACAP preparation?

8500 IA Controls SRTM

bzhz79 — Wed, 21 Oct 2009 12:07:13 GMT

Does anyone have a SRTM in excel format for evaluating the 8500 IA controls? If so could you forward it to me in an email.

VMS to RTM

Dhruvo — Mon, 22 Jan 2007 13:32:41 GMT

I'm looking for a tool that can convert the VMS numbers from DISA Gold Disk to RTM / IA Controls.

If there's such a thing. please let me know.

Thanks

Auto RTM download location

wshutter — Tue, 20 May 2008 14:50:59 GMT

Hello,

I can't seem to find the download link for AutoRTM. I downloaded the toolset, just fine. Can someone send me a link?

AutoRTM License

vsmith51 — Tue, 23 Sep 2008 10:13:42 GMT

Is there a requirement to have a license to use AutoRTM? When I clicked execute I was told that there wasn't a license. When I left the block blank it shutdown.

AutoRTM no IAVA listing?

lnunez — Tue, 13 Nov 2007 14:11:10 GMT

I noticed that the UNIX RTM does not list the IAVA. Running the Unix SRR IAVA is listed in the report. Will AutoRTM support listing IAVA?

Thanks.

-ln

AUTORTM

doriangray — Fri, 23 May 2008 10:15:02 GMT

Can you provide an update to the autortm for CJCSI6510D to CJCSI6510E

AUTORTM

doriangray — Tue, 13 May 2008 14:58:33 GMT

Is there anyway to integrate the Windows STIGS (NSA) into the AutoRTM? The tool is great by the way!!!!!

AutoRTM questions

hsconnor — Wed, 23 Jan 2008 10:35:39 GMT

Hi,

I like the AutoRTM tool, but have a few questions:

- I'd like to be able to see the version # or date of the source requirements documents, but the only time I see that information is when I created the project using the wizard. Is this information saved somewhere in the project where I can refer to it when needed, rather than going back through the wizard?

- I'd be interested to know how updates to requirements will be handled for existing projects. Will the entire list of requirements be completely replaced for a project, or will individual requirements that are added, deleted or changed be highlighted in some way?

- After creating a project using the wizard, is there a way to add a set of requirements without recreating the project? For example, I may want to add another DISA STIG to my project later on.

Thanks for your help. Great tool!