-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Risk assessment schema: Extend to three question types and provide validation #63
Comments
Having OpenControl Components also serve as (essentially) survey templates would be a pretty major expansion. This feels out of scope to me - curious to hear from others. |
If OpenControl cannot integrate and the risk assessment questionnaires to
controls - which is the largest component of what agencies do now with
heavyweight tools like RiskVision and eMASS - then there is no argument to
replace those heavyweight tools with something more lightweight like
OpenControl.
It won't be possible to see OpenControl as an alternative without this
feature.
|
NIST OCIL was specifically developed for interactive checklist content (part of the scap portfolio of standards).
Have you had a chance to review OCIL?
… On Mar 25, 2019, at 9:04 AM, Aidan Feldman ***@***.***> wrote:
Having OpenControl Components also serve as (essentially) survey templates would be a pretty major expansion. This feels out of scope to me - curious to hear from others.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
I am looking at OCIL now. Thank you!
https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/Specifications/ocil
|
cc #58 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
My review of the VA's risk assessment questionnaire shows there is at least three types of answer responses.
Recommendations
If the YAML scheme does not have these three data response types, it will need to be extended to do so.
The YAML scheme also needs to provide the capability for data quality validation (i.e. for NULL, REQUIRED, MIN=1, MAX=1 responses) via scripts.
See specific example the three question response types, with data validation specified. This example is from RiskVision:
RiskVision Q&A Scheme
Survey Header
Question-Response Items
The text was updated successfully, but these errors were encountered: