Greetings!
Like Stefan, I started off skimming the OEMF charter, but I must report
that I failed. To skim that is.
I'll just start at the beginning and while not hitting every issue, I'll
call out the major ones.
1.b
> The purpose of the Open Exposure Management Framework (OEMF) is to
> establish an unbiased, community framework to unite and direct the
> efforts in preventing, assessing, and resolving exposures in
> organizational technology.
I don't know the area but you are going to unite and direct efforts by
NIST, CIS, and Gartner?
> An aspiration to accommodate security domains such as Vulnerability
> Management and Cloud Security in a more detailed way than existing
> cybersecurity frameworks currently do.
So new work, not covered by NIST, CIS, and Gartner?
> An opportunity to standardize and structure how technology exposures
> are defined, discovered, prioritized, and acted upon.
Reworking technology exposures by NIST, CIS, and Gartner?
> A desire to outline tactical guidance around the processes and
> technologies that intersect Exposure Management.
Documentation? Not new standards?
> A present need for an independent, industry accepted scale for
> measuring Exposure Management maturity.
NIST, CIS, and Gartner don't think they have this already?
> 1. Propose a functional exposure management lifecycle. 2. Offer
> practitioners a common set of capability requirements per lifecycle
> stage. 3. Map capability requirements to prominent frameworks such as
> NIST, CIS, Gartner, etc. 4. Offer the Cybersecurity industry an
> acceptable maturity scale for Exposure Management. 5. Provide
> implementation parameters to achieve each maturity milestone. 6.
> Address data inconsistencies between disparate exposure data sources.
> 7. Map technology capabilities to the OEMF functional lifecycle.
With the exception of #3, are these missing from current frameworks?
I mention all of that because when I get to scope:
> The primary scope is to enable the Cybersecurity community with a
> series of best practices around Exposure Management. Following that,
> the project intends to provide a methodology for Cybersecurity
> professionals or partners to perform selfassessments in Exposure
> Management maturity, much like OWASP has done with the Software
> Assurance Maturity Model. Additionally, the project seeks to develop
> reference material that Cybersecurity professionals can leverage to
> tactically drive Exposure Management maturity within their respective
> organizations.
> As such, the main scope of the OEMF is to provide framework
> documentation and supplemental educational materials such as videos,
> presentations, images, and templates regarding Exposure Management.
All of those are good things, but fall short of being standards.
Is this some other type of beast we now have Kelly?
I'm all for documentation, as Kelly knows, but standards are
prescriptive, do it this way, whereas documentation is, N says do it
this way, here is an example of M, etc.
As Stefan has noted, the schedule is aggressive to say the least.
Especially with so few TC meetings.
I think the charter could be greatly improved, if the goal is creation
of a framework that encompasses, give specifics from NIST, CIS, Gartner,
to provide more detailed documentation and mapping between similar
exposure issues in all three.
Where you sense gaps, Vulnerability Management and Cloud Security for
example, do you intend to produce normative standards for them? Being
mindful the goal up to a point is to provide documentation for existing
standards.
It's the shifting from a desire to be normative versus being
documentation that makes the charter less clear.
BTW, are self-assessments normative or part of documentation (in your view)?
Sorry to go on at length but I sense the proposal has a lot of merit but
isn't cast as I would expect for a standards product.
Hope you are at the start of a great week!
Patrick