DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Transcription

1 DFARS Compliance SLAIT Consulting SECURITY SERVICES Mike D Arezzo Director of Security Services

2 Introduction 18+ year career in Information Technology and Security General Electric (GE) as Software Governance Leader and Third Party Risk Compliance University of Richmond Go Spiders! ISC2 CISSP & ISACA CISA

3 Building a Compliance Program Develop a comprehensive program that is secure and compliant A program your organization can support A maintainable program that is developed to be future proof There are 14 families of controls and 110 individual controls supporting NIST , the framework that provides guidance on supporting DFARS Compliance. In this presentation, Mike will walk through the controls and discuss some of the tricky points and questions you may have in supporting compliance for DFARS. Are you prepared to respond within 72 hours to a Cyber Incident and what is that defined as? The goal of this presentation is to walk new and/or unsure users through the compliance and begin preparations for the Dec deadline.

4 CDI versus CUI Controlled Unclassified Information Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order or the Atomic Energy Act, as amended. Much broader than CDI Think Category

5 CDI versus CUI Covered Defense Information Unclassified controlled technical information or other information () that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is: (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. As described in the Controlled Unclassified Information (CUI) Registry at

6 NIST DFARS Compliance (DFARS ) Deadline: December 31 st 2017

7 Control Families Access Control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System and Communications Protection System and Information Integrity

8 Access Data Classification Asset Management Access Levels and Compartmentalizing Network Segmentation Know Thyself

9 Data Lifecycle Data Lifecycle Requirements Storage requirements Transfer or cryptographic requirements Data Destruction requirements

10 Physical Security Privilege based access Visitor access processes Data center access Maintain logging of activities

11 Monitoring of Systems and Messaging Review of monitoring methodology Monitoring of internal to external communication Security Awareness and Training on Phishing attacks for your employees Protection from Whaling or attacks on management targets

12 Network Security Logical network design and road maps for growth Validation of network segmentation to avoid spillage Endpoint and network security for protection against virus and malicious code

13 Risk vs. Security Assessment Risk measures what may potentially affect you Loss X Potential = Risk Threat Dictionary Security Assessment reviews you environment Defense in Depth Test of Design and Test of Effectiveness

14 System and Communications Protection & Incident Response Network Intrusion Detection Log Management Vulnerability and Asset Management Scanning Incident Response Analysis and Prioritization Tabletop Exercise/ Threat Simulation

15 How Do I Get There? Visibility - Understand your data and projects Simplify - Create workflows to build new projects Observe, Analyze, Redirect, Review Sample Test to ensure controls are effective Collaborate!

16 Where to Get Help DoDI , Security of Unclassified DoD Information on Non-DoD Information Systems National Institute of Standards and Technology (NIST) Special Publication (SP) , Security and Privacy Controls for Federal Information Systems and Organizations NIST SP , Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations NIST Framework for Improving Critical Infrastructure Cybersecurity Federal Risk and Authorization Management Program (FedRAMP) DoD Cloud Computing Security Requirements Guide (SRG) Unclassified 4 DoDI , Security of Unclassified DoD From %20Jun%2023%202017%20Final.pdf?ver=

17 Six Security Pillars in the SLAIT ThreatManage USM Platform SLAIT ThreatManage USM SIEM Log Collection OTX Threat Data SIEM Event Correlation Incident Response ASSET DISCOVERY Active Network Scanning Passive Network Scanning Asset Inventory Software Inventory BEHAVIORAL MONITORING Netflow Analysis Service Availability Monitoring ENDPOINT RESPONSE SLAIT Threat Intelligence Flight Data Recorder Live Response Threat Actor Detection / Remediation THREAT DETECTION Network IDS Host IDS File Integrity Monitoring VULNERABILITY ASSESSMENT Continuous Vulnerability Monitoring Authenticated / Unauthenticated Active Scanning

18 SLAIT Security Offerings Governance Prevention Response Risk Assessment Policy and Procedure PCI Prep HIPAA Gap Analysis Audit Preparation Assistance Security Organization Review Security Checkup Managed Firewall and Endpoint Secure Infrastructure Design & Review viso Program Awareness Training Assessment Vulnerability Scanning Penetration Testing Phishing Exercises ThreatRecon Pre-breach Preparation ThreatManage Breach Response Cyber Forensics

19 Innovative Solutions for Forward Thinking Companies Some of SLAIT s Technology Partners

20 References ing_and_contracting_for_cloud_services_( ).pdf %20Jun%2023%202017%20Final.pdf?ver=