SCA can find the remediation fixes or "expected results" in several places: - Vulnerability scan results usually have the solutions to the finding (nessus calls in plugin Output or solution) - For operational issues, the expected result is what the organization states in the policy (frequency of scan, backups schedule, audit log reviews) - For policy and procedures, every industry has a certain standard and requirement of documents. 1 example is governments FISMA states that all organization should have a security policy and they should address every control. A great resource for expected results is NIST 800-53A
Check out free courses @ convocourses.com
Class act. Thank you for offering to help our veterans!
Our pleasure!
JUst want to say man your page has been a big help, greatly appreciated
thank you so much :) Glad to hear it!
Where would the security control assessor find the recommended remediation fix for failed controls to support the POAM without running a scan?
SCA can find the remediation fixes or "expected results" in several places:
- Vulnerability scan results usually have the solutions to the finding (nessus calls in plugin Output or solution)
- For operational issues, the expected result is what the organization states in the policy (frequency of scan, backups schedule, audit log reviews)
- For policy and procedures, every industry has a certain standard and requirement of documents. 1 example is governments FISMA states that all organization should have a security policy and they should address every control.
A great resource for expected results is NIST 800-53A
If there are immediate fix to findings do you still have to create a POAM?
Where can i find that control list?
Little late I know, but what you're looking for is NIST SP 800-53.
☝️👍
Huh