40. What is the Security Content Automated Protocol (SCAP) and why are information security policies and procedures so important, and do you offer comprehensive I.T. security documentation?

The Security Content Automated Protocol (SCAP) is a collection of specifications for effectively standardizing the format and applicable nomenclature by which software flaws and security configuration information is communicated to both information systems and human beings. Simply stated, it’s a comprehensive framework of various standards and specifications supporting – according to NIST SP 800-126 – the following: automated configuration, vulnerability and patch checking, technical control compliance initiatives, along with security measurement.

As such, one of the goals of SCAP is essentially standardizing system security management, creating true interoperability amongst security products, while “fostering the use of standard expressions of security content”. SCAP (version 1.2) is effectively of eleven (11) component specifications within the following five (5) categories:

  • Languages
  • Reporting Formats
  • Enumerations
  • Measurement and Scoring Systems
  • Integrity

Supporting the initiatives of the aforementioned five (5) categories are numerous standardized reference data sets and other applicable information put forth by sites under the MITRE umbrella, such as CCE, CVE, OVAL, and many others. Additionally, according to the Executive Summary of NIST SP 800-126, Revision 2, SCAP is receiving widespread adoption by major software manufacturers and has become a “significant” component for large information security management initiatives. Visit http://csrc.nist.gov/publications/PubsSPs.html and download the official NIST SP 800-126, Revision 2, to learn more.

The Importance of Information Security Policies and Procedures

As for the need of information security policies and procedures, it’s important to note that a large number of the SCAP initiative are no doubt helpful in regards to regulatory compliance (i.e., FISMA, HIPAA, etc.), thus documenting these activities is also crucial. The place to start is with us and the FLANK21 set of documented operational, business specific, and information security policies, procedures – and more – that contain literally hundreds of policy templates, forms, checklists, and provisioning and hardening documents. Regulatory compliance – no matter what the law or industry specific directive is – all share one very common platform, and that’s the need for documented policies and procedures, such as those offered by FLANK.