Mustafa wrote:
Isn't it possible to write all the controls in DCL and make it public? Because, in the sofware explanation it is written that all the controls can be done manually.
=====================
Not exactly. Certain controls can be measured manually, but for others it says things like:
$ !
$ ! For the DISK facility scripting language approaches are inadequate
$ ! and it is necessary to use an actual compiled language program to
$ ! test a complete VMS system in an acceptable amount of time.
$ !
The reason we released our interpretation of 800-53 to the public is that we realize that when we sell an LJK/Security license the value we provide is not the list itself (which anyone could create by carefully reading 800-53) but rather:
1. An efficient implementation to measure items on the list in a flexible fashion.
2. Ongoing support to add controls as standards change and VMS changes. Note that Revision 1 to 800-53 is due to be released in the next few months, as is VMS V8.3.
=====================
But Mustafa also wrote:
In the scope of COBIT process,
=====================
The business of ready-to-use policies based on an outside authority is a recent addition to LJK/Security. We have a series of policies based on 800-53 since it is the most specific policy around for application to operating systems.
We have two other policy sources currently planned, based on what we see as market demand, but neither of them is COBIT. Of course we would write a COBIT policy given a sufficiently large order, but...
...it is important to remember that there is nothing in the policy document that an LJK/Security user cannot write for themselves. The value we provide with the product is the efficient and secure testing of the policy. So you could write a COBIT policy (I presume, not having read COBIT) to use with LJK/Security.
But some rule sets from outside authorities lend themselves to automated testing better than others. In the US, the SOX, HIPPA and GLB rules are quite fuzzy regarding application to operating systems. Some from outside the US prefer the ISO (formerly BSI) standards, which started off quite weak but were made stronger once the authors got a look at 800-53.
=====================
For anyone who thinks they are going to write their own tool to measure the security configuration of a VMS system against 800-53 or a similarly specific standard, I would suggest they start with the hard stuff first, rather than being deluded by how easy it is to do the easy stuff. For your first effort, test
(DISK,FILEPROT,PERCENTHI)
which measures the percentage of users on the system who can access a file, in each of the 5 access modes allowed for files, for each file on each disk on the system. You are not going to accomplish that using DCL command procedures and have the first execution run to completion before your retirement date !
