Risk assessment schema: Extend to three question types and provide validation

[rafael5]

My review of the VA's risk assessment questionnaire shows there is at least three types of answer responses.

• Text
• SingleOption
• MultiOption

Recommendations

1. If the YAML scheme does not have these three data response types, it will need to be extended to do so.

2. The YAML scheme also needs to provide the capability for data quality validation (i.e. for NULL, REQUIRED, MIN=1, MAX=1 responses) via scripts.

See specific example the three question response types, with data validation specified. This example is from RiskVision:

RiskVision Q&A Scheme

Survey Header

Survey Name:	1-2 System Information
Asset Name:     VistA Adaptive Maintenance (VAM) Assessing
Asset Type:     System
Asset Subtype:  Assessing
Asset Owner:    Robert Disko
Due Date:       2018-04-13

Question-Response Items

QuestionNumber      {Number}
ControlReference    {Text}
QuestionTitle       {Text}
Queston             {Text}
ResponseType        Text
    Text            {Text; NULL}        REQUIRED
    Flag?           [Y / N; NULL}       OPTIONAL
    Comments        {Text; NULL}        OPTIONAL
    MyNewComments   {Text; NULL}        OPTIONAL
    Implementation  {Text; NULL}        OPTIONAL
    RemediationPlan {Text; NULL}        OPTIONAL


QuestionNumber:     3
ControlReference    AC-02.E04
QuestionTitle:      Operational Status
Queston:            What is the system operational status?
ResponseType        Single Option
    SingleOption    #2            REQUIRED (MIN=1, MAX=1 response)
        Option#1     Unassigned
        Option#2     Acquisitions/Development
        Option#3     Operations/Maintenance
        Option#4     Disposition
        ...
    Flag?           [Y / N; NULL}       OPTIONAL
    Comments        {Text; NULL}        OPTIONAL
    MyNewComments   {Text; NULL}        OPTIONAL
    Implementation  {Text; NULL}        OPTIONAL
    RemediationPlan {Text; NULL}        OPTIONAL 

QuestionNumber      5
ControlReference    AC-02.E04
QuesitonTitle       Ensure Documentation Attached
Question            Ensure you have attached the following documentation, 
                    or appropriate evidence for each area
ResponseType        MultiOption
    MultiOption     #1,....           REQUIRED (MIN=1; MAX=none response)
                #1      System Security Plan
                #2      Risk Assessment
                #3      Configuration Management Plan
                #4      Disaster Recovery Plan
                #5      Incident Response Plan
                #6      IS Contingency Plan
                #7      Interconnection Security Agreement
                #8      Memorandum of Understanding (MOU)
                #9      Privacy Impact Assessment (PIA)
                #10     ISCP Testing Results (ISCP TR)
                #11     DRP Testing Results (DRP TR)
    Flag?           [Y / N; NULL}       OPTIONAL
    Comments        {Text; NULL}        OPTIONAL
    MyNewComments   {Text; NULL}        OPTIONAL
    Implementation  {Text; NULL}        OPTIONAL
    RemediationPlan {Text; NULL}        OPTIONAL

[afeld]

Having OpenControl Components also serve as (essentially) survey templates would be a pretty major expansion. This feels out of scope to me - curious to hear from others.

[rafael5]

If OpenControl cannot integrate and the risk assessment questionnaires to controls - which is the largest component of what agencies do now with heavyweight tools like RiskVision and eMASS - then there is no argument to replace those heavyweight tools with something more lightweight like OpenControl. It won't be possible to see OpenControl as an alternative without this feature.

[shawndwells]

NIST OCIL was specifically developed for interactive checklist content (part of the scap portfolio of standards). Have you had a chance to review OCIL?

…

On Mar 25, 2019, at 9:04 AM, Aidan Feldman ***@***.***> wrote: Having OpenControl Components also serve as (essentially) survey templates would be a pretty major expansion. This feels out of scope to me - curious to hear from others. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[rafael5]

I am looking at OCIL now. Thank you! https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/Specifications/ocil

[afeld]

cc #58