KEY POINTS

• “Cyber security standards enhance security and contribute to risk management in several important ways. Standards help establish common security requirements and the capabilities needed for secure solutions.” ~ Karen Scarfone, Dan Benigni and Tim Granc, National Institute of Standards and Technology (NIST), Gaithersburg, Maryland
• “Cyber security intelligence and information sharing is now top of mind in the executive suite across nearly every sector.” ~ Bill Nelson, President & CEO, Financial Services Information Sharing and Analysis Center (FS-ISAC) and CEO, Soltra
• “Standardization is the key to streamlining IT operations and reducing security risks.” ~ dgulling

This Ask the Experts session stems from a question originally posted on Quora titled “What is the Common Vulnerability Reporting Framework (CVRF)? How is it used?“

The Common Vulnerability Reporting Framework, or CVRF, is a reporting framework which is used to share information pertaining to security-related events in a standardized fashion. CVRF is XML-based, which allows it to be easily read by machines. By standardizing the reporting framework, security advisories can be produced faster, and shared with a broader audience as the framework doesn’t make use of any proprietary or closed-source software.

The following are several elements that appear in a security advisory adhering to the CVRF:

1. Title: cvrf:DocumentTitle
2. Type: cvrf:DocumentType
3. Publisher: cvrf:DocumentPublisher
4. Tracking: cvrf:DocumentTracking
5. Notes: cvrf:DocumentNotes
6. Distribution: cvrf:DocumentDistribution
7. Aggregate Severity: cvrf:AggregateSeverity
8. References: cvrf:DocumentReferences
9. Acknowledgements: cvrf:Acknowledgements
10. Product Tree: prod:ProductTree
11. Vulnerability: vuln:Vulnerability

*Elements 1–4 make up the minimum required attribute set of an advisory adhering to the CVRF however, these four elements fail to provide any useful information regarding security related events.

Additional information regarding the latest version of CVRF (version 1.2), as well as previous versions, can be found here.

Have any questions regarding standards and frameworks in the information security domain? Contact us and we will be glad continue the dialog! Do not forget to click here to subscribe to our weekly newsletter for more information security related tips and tricks.

Additional Resources

Common standards:

• International Organization for Standardization (ISO) 27001 – Information Security Management
• Health Insurance Portability and Accountability Act (HIPAA)
• Payment Card Industry Data Security Standard (PCI DSS)