Ed around the specifications inside the audit domain in the NIST
Ed on the needs within the audit domain of your NIST Particular Publication (SP) Ethyl Vanillate custom synthesis 800-53, Division of Defense Instruction (DoDI) 8500.2, and ISO 15408-2 requirements. In [19], Leszczyna presented a systematic critique to recognize the most relevant smart grid requirements, suggestions, technical reports, unique publications, and regulations that present Tianeptine sodium salt Technical Information powerful guidance for the security practitioners to create extensive security assessments. Normal selection and evaluation criteria are clearly presented. The study has shown that six intelligent grid or energy systems’ requirements offer details on safety assessment processes that will be applied to Industrial Automation and Manage Systems (IACS), substations, or all sensible grid components. These standards offer general guidance such that they can still be applied as a reference for assigning responsibilities or scheduling safety assessment actions. Related analysis is performed by Alcaraz et al. in [20] and much more precise comparison of a lower number of standards is performed in [21]. Since these papers might be classified as a systematic literature critique, none of them additional talk about potential model creation but present a good starting point for the work that is performed here. Several methods for requirements prioritization have already been proposed inside the literature [22]. Most of the proposed strategies, if not all of them, is often applied to security specifications. Tariq et al. presented an interesting strategy to prioritization of the data security controls in the context of cloud computing networks and wireless sensor networks by using fuzzy analytical hierarchy method (AHP) [23]. The authors consulted decision makers and defined seven major criteria for security controls selection: implementation time, effectiveness, danger, budgetary constraints, exploitation time, upkeep expense, and mitigation time. Every manage was assigned weight for every criterion as well as the handle with the highest score was selected because the ideal control. The proposed method was applied to ISO/IEC 27001 safety controls. In [24] authors propose an extension to threat modeling using a purpose to permit the prioritization of security requirements via a valuation graph that consists of assets, threats, and countermeasures. There were also efforts to automate the prioritization from the requirements by using data mining and machine learning strategies [25], even though effectiveness is limited by the used algorithms, and efforts in the stakeholders are still necessary. A collaborative work by the NIST and FedRAMP resulted within the creation of Open Security Controls Assessment Language (OSCAL) [26]. OSCAL gives a frequent machinereadable meta schema expressed in eXtensible Markup Language (XML), JavaScript Object Notation (JSON), and YAML Ain’t Markup Language (YAML) for various compliance and danger management frameworks too as sharing method security plans, security assessment plans, and reports. Its goal is usually to allow organizations to exchange information through automation and deliver interoperability. It truly is architected in layers together with the lowest layer being Controls Layer which has a Catalog Model that models security control definitions and control assessment objectives and activities from any cybersecurity framework as e.g., XML file. Each and every file features a well-defined structure for quick conversion among supported formats. The second a part of the layer is definitely the Profile Model that models handle baselines which are a customized subset of.