JP Vossen on 17 Nov 2018 08:59:57 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] DevOps practices/framework |
On 11/15/18 8:54 PM, JP Vossen wrote:
I've been asked at $WORK to see if there is some kind of best practices/framework/standard thing we can align to so we can be Big Company Buzzword Compliant. I'm aware of these so far but I have not yet read them in depth:
...Thanks to all who replied. I guess I was not 100% clear, because the Agile, etc., references were jokes, and the devops stuff is just background/context for what my team actually does. This has nothing to do with "devops" standards, it has to do with overall IT governance and general Big Company Buzzword Compliance.
Note the markup below is what I get when I copy & paste from my "Zim Desktop Wiki", which I left since it illustrates the other thread about alternatives to M$ Word. [ ] is a unchecked box, [*] is checked, [x] is red-Xed, * is a bullet, etc. Simple but awesome and plain text. It can tie into Git, BZR, & Hg too.
After spending Friday afternoon reading, I think I can make this one work: NIST: Framework for Improving Critical Infrastructure Cybersecurity ------------------------------------------------------------------- * https://en.wikipedia.org/wiki/NIST_Cybersecurity_Framework ### v1.1 2018-04-16 [*] https://www.nist.gov/cyberframework [*] wget https://doi.org/10.6028/NIST.CSWP.04162018 [*] 55 Pages: Framework for Improving Critical Infrastructure Cybersecurity * Version 1.1 * National Institute of Standards and Technology * April 16, 2018 I also read a bit about the following, just for reference. ### DHS: Cyber Resilience Review [*] https://en.wikipedia.org/wiki/Cyber_Resilience_Review* The Cyber Resilience Review (CRR) is an assessment method developed by the United States Department of Homeland Security (DHS).
That sounds good until you look at https://www.us-cert.gov/ccubedvp/assessments then download https://www.us-cert.gov/sites/default/files/c3vp/csc-crr-self-assessment-package.pdf and realize: WOW!!! This is a PDF that executes things! That sounds just ironically and AMAZINGLY insecure! And it Adobe garbage!
No. Just no. NIST ITL 800-series -------------------[*] https://www.nist.gov/itl/nist-special-publication-800-series-general-information
[*] Content free as far as I can tell [*] But it kind of points to the NIST framework above [*] 193 records: https://csrc.nist.gov/publications/sp### NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
[*] https://en.wikipedia.org/wiki/NIST_Special_Publication_800-53* NIST Special Publication 800-53 provides a catalog of security controls for all U.S. federal information systems except those related to national security.
* http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf* Security and Privacy Controls for Federal Information Systems and Organizations
* http://dx.doi.org/10.6028/NIST.SP.800-53r4 * 462 pages! ITIL ---- [*] https://en.wikipedia.org/wiki/ITIL* After the initial publication in 1989–96, the number of books quickly grew within ITIL Version 1 to more than 30 volumes.
...* Changes and characteristics of the 2011 edition of ITIL. A summary of changes has been published by the UK Government. In line with the 2007 edition, the 2011 edition consists of five core publications...
30 books!? OK, down to 5 books now? Ummmm, no. ISO/IEC_20000 ------------- [*] https://en.wikipedia.org/wiki/ISO/IEC_20000 [*] Mostly content free, but basically ITIL ISO/IEC_27001 ------------- [*] https://en.wikipedia.org/wiki/ISO/IEC_27001 * AKA BS 7799, etc.* I've worked with this one before, I could make it work, but I like the NIST one better.
ISACA COBIT: Control Objectives for Information and Related Technologies ------------------------------------------------------------------------[*] Cheat sheet: http://miroslawdabrowski.com/downloads/COBIT5/COBIT%205%20-%20Cheatsheet%20%5Bv1.0,%20Minimarisk%5D.pdf
[*] https://en.wikipedia.org/wiki/COBIT* COBIT is a more generic superset of "more detailed IT standards and good practices such as COSO, ITIL, BiSL, ISO 27000, CMMI, TOGAF and PMBOK" so that's even less applicable for us.
The Common Criteria for Information Technology Security Evaluation ------------------------------------------------------------------ [*] https://en.wikipedia.org/wiki/Common_Criteria* I can argue it either way but I'm leaning to not applicable to my use case. * I've worked with this one before, I could make it work, but I like the NIST one better.
Thanks again, JP -- ------------------------------------------------------------------- JP Vossen, CISSP | http://www.jpsdomain.org/ | http://bashcookbook.com/ ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug