Four Deadly Traps of Using Frameworks NIST Examples
|
|
- Bathsheba Higgins
- 5 years ago
- Views:
Transcription
1 Four Deadly Traps of Using Frameworks NIST Examples ISACA Feb Meeting Doug Landoll (512)
2 Session Agenda Framework Definition & Uses NIST Framework Intro & Uses Four Traps of Frameworks Conclusion
3 Framework Definition Framework skeletal structure designed to support something. Security Frameworks structure to help organize and prioritize information security programs.
4 Security Framework Uses Structure Organization for the creation or review of an information security program Reference Connection with other frameworks, standards, and requirements. Completeness Thorough treatment of security controls
5 NIST Intro: FISMA Five FIPS Pub 199: Security Categorization System: Low, Moderate, or High How to audit controls NIST A: Techniques for Verifying Effectiveness FIPS Pub 200: Minimum Security Controls 18 Control Families 800+ security controls NIST : Recommended Security Controls NIST : Guide for C&A Certification & Accreditation Process
6 SP Catalog of Controls Organized and structured set of security controls 18 Security Control Families ID FAMILY ID FAMILY AC Access Control MP Media Protection AT Awareness and Training PE Physical and Environmental Protection AU Audit and Accountability PL Planning CA Security Assessment an Authorization PS Personnel Security CM Configuration Management RA Risk Assessment CP Contingency Planning SA System and Services Acquisition IA Identification and Authentication SC System and Communications Protection IR Incident Response SI System and Information Integrity MA Maintenance PM Program Management*
7 Control Ref. # and Name Control Section Supplemental Guidance SP Control Structure Security Control Structure Control Enhancements References Priority & Baseline Allocation
8 Control Reference & Name Within each security control family are a number of security controls. These security controls are numbered. Ref. AU-1 AU-2 AU-3 AU-4 AU-5 AU-6 AU-7 AU-8 AU-9 Audit and Accountability Policy and Procedures Audit Events Content of Audit Records Audit Storage Capacity Response to Audit Processing Failures Audit Review, Analysis, and Reporting Audit Reduction and Report Generation Time Stamps Protection of Audit Information
9 Control Section Each security control is describes as a requirement. Control: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
10 Supplemental Guidance Supplemental guidance provides non-prescriptive additional information to guide the definition, development, and implementation of the security control. Operational considerations Mission/business considerations Risk assessment information. Supplemental Guidance: Audit record content that may be necessary to satisfy the requirement of this control includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI- 11.
11 Control Enhancements Control enhancements provide statements of security capability to: Add function/specificity to the control, or Increase the strength of the control. Control Enhancements: (1) CONTENT OF AUDIT RECORDS ADDITIONAL AUDIT INFORMATION The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. (2) CONTENT OF AUDIT RECORDS CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].
12 References References section includes a list of applicable documents relevant to the security control: federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines
13 Priority & Baseline Allocation Priority provides guidance for sequencing decisions Baseline Allocation starting point for the security control selection process based on system categorization (Low, Moderate, High) LOW MOD HIGH
14 Control Assignment Controls may be augmented through assignment and selection options within control statements. Assignment: Organizationally defined AU-2 AUDIT EVENTS The organization: (3) AUDIT EVENT REVIEWS AND UPDATES The organization reviews and updates the audited events [Assignment: organization-defined frequency]. Example
15 Control Selection Controls may be augmented through assignment and selection options within control statements. Selection: Organizationally defined IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION Control: The information system uniquely identifies and authenticates [Assignment: organizational defined specific and/or types of devices] before establishing a [Selection (one or more): local, remote, network] connection. Example
16 NIST: Security Controls: Risk-based Process An organizational risk assessment validates the initial security control selection and determines if additional controls are needed. Example: System categorization (Standard Protected) determines initial security control selection. Organizational System risk assessment provides rationale for additional, compensating, or deleted security controls from initial selection.
17 Framework Uses: NIST Example Structure 18 Security Control Families Reference Includes crosswalks to ISO27001 & CC CC -> ; > CC ISO > ; > ISO Completeness Organizational, Management and Technical Controls
18 Example Policies Based on Framework Policy # Policy Name Policy # Policy Name P8110 Data Classification P8310 Account Management P8120 Information Security Program P8320 Access Control P8130 System Security Acquisition P8330 System Security Audit P8210 Security Awareness Training and Education P8340 Identification and Authentication P8220 System Security Maintenance P8350 System and Communication Protection P8230 Contingency Planning P8410 System Privacy P8240 P8250 P8260 P8270 P9280 Incident Response Planning Media Protection Physical Protections Personnel Security Control Acceptable Use
19 Four Framework Traps 1. False Frameworks 2. Compliance via Assertion 3. Tailoring by Judgment 4. One and Done
20 False Frameworks Regulations and Standards not Frameworks: Incomplete and focus solely on specific data and security policies HIPAA PCI DSS Industry Best Practices No available references, not industry recognized, likely incomplete and not structured. AKA: Our own secret sauce Smoke and Mirrors
21 Compliance via Assertion Embracing a Framework is step one. Next Steps Interpret Apply Assess Address gaps
22 Tailoring by Judgment Frameworks are tailorable through an exception process or a risk based process. Tailoring based on gaps, judgment, and cost limits the benefits of a framework
23 One and Done A security program based on a framework will require maintenance Frameworks get updates ISO 27001/2: Updated Sept 2013 NIST : Updated April 2013 COBIT 5: Updated 2012 Other Updates References, Mappings, Business & Customer Requirements Reassess regularly
24 Conclusions Determine appropriate framework for the business Add requirements (these are not frameworks) Embrace the framework and its tailoring process Beware framework traps It s just a framework there is a lot more work to do.
MINIMUM SECURITY CONTROLS SUMMARY
APPENDIX D MINIMUM SECURITY CONTROLS SUMMARY LOW-IMPACT, MODERATE-IMPACT, AND HIGH-IMPACT INFORMATION SYSTEMS The following table lists the minimum security controls, or security control baselines, for
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationMapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls
Mapping of FedRAMP Tailored LI SaaS Baseline to ISO 27001 Security Controls This document provides a list of all controls that require the Cloud Service Provider, Esri, to provide detailed descriptions
More informationINTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST
INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE Aeronautical Telecommunication Network Implementation Coordination Group (ATNICG) ASIA/PAC RECOMMENDED SECURITY CHECKLIST September 2009
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationUsing Metrics to Gain Management Support for Cyber Security Initiatives
Using Metrics to Gain Management Support for Cyber Security Initiatives Craig Schumacher Chief Information Security Officer Idaho Transportation Dept. January 2016 Why Metrics Based on NIST Framework?
More informationEvolving Cybersecurity Strategies
Evolving Cybersecurity Strategies NIST Special Publication 800-53, Revision 4 ISSA National Capital Chapter April 17, 2012 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL
More informationENTS 650 Network Security. Dr. Edward Schneider
ENTS 650 Network Security Dr. Edward Schneider http://www.ece.umd.edu/class/ents650/ Schneide@umd.edu Stallings. Cryptography and Network Security, 4e. Prentice-Hall. 2006. NIST Special Pubs: csrc.nist.gov/publications/pubssps.html
More informationCloudCheckr NIST Audit and Accountability
CloudCheckr NIST 800-53 Audit and Accountability FISMA NIST 800-53 (Rev 4) Audit and Accountability: Shared Public Cloud Infrastructure Standards Standard Requirement per NIST 800-53 (Rev. 4) CloudCheckr
More informationProtecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations
Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations January 9 th, 2018 SPEAKER Chris Seiders, CISSP Security Analyst Computing Services and Systems Development
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationSecurity Control Mapping of CJIS Security Policy Version 5.3 Requirements to NIST Special Publication Revision 4 4/1/2015
U. S. Department of Justice Federal Bureau of Investigation Criminal Justice Information Services Division Security Control Mapping of CJIS Security Policy Version 5.3 s to NIST Special Publication 800-53
More informationCSAM Support for C&A Transformation
CSAM Support for C&A Transformation Cyber Security Assessment and Management (CSAM) 1 2 3 4 5 Five Services, One Complete C&A Solution Mission/Risk-Based Policy & Implementation/Test Guidance Program Management
More informationNIST SP , Revision 1 CNSS Instruction 1253
NIST SP 800-53, Revision 1 CNSS Instruction 1253 Annual Computer Security Applications Conference December 10, 2009 Dr. Ron Ross Computer Security Division Information Technology Laboratory Introduction
More informationBig Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation
Big Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation Bill Valyo CA Technologies February 7, 2013 Session #12765 Quick Abstract: About this Presentation This presentation
More informationBecause Security Gives Us Freedom
Because Security Gives Us Freedom PANOPTIC CYBERDEFENSE CYBERSECURITY LEADERSHIP Panoptic Cyberdefense is a monitoring and detection service in three levels: Security Management and Reporting Managed Detection
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA
Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA Information Security Policy and Procedures Identify Risk Assessment ID.RA Table of Contents Identify
More informationACHIEVING COMPLIANCE WITH NIST SP REV. 4:
ACHIEVING COMPLIANCE WITH NIST SP 800-53 REV. 4: How Thycotic Helps Implement Access Controls OVERVIEW NIST Special Publication 800-53, Revision 4 (SP 800-53, Rev. 4) reflects the U.S. federal government
More informationUsing ACR 2 Reports. 4. Deficiency.pdf - a cross listing of missing or underperforming safeguards with risk categories for this system at this time.
Using ACR 2 Reports Creating Compliance Action Plans After entering and reviewing system data on information security, users will receive either a baseline or an update set of reports depending on whether
More informationAttachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan
Attachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan DRAFT December 13, 2006 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203
More informationSYSTEMS ASSET MANAGEMENT POLICY
SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security
More informationRecommended Security Controls for Federal Information Systems and Organizations
NIST Special Publication 800-53 Revision 3 Excerpt Recommended Security Controls for Federal Information Systems and Organizations JOINT TASK FORCE TRANSFORMATION INITIATIVE HIGH-IMPACT BASELINE I N F
More informationWHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3
WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3 ABSTRACT This white paper is Part 2 in a three-part series of white papers on the sometimes daunting subject of continuous monitoring
More informationThe "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:
Major Enhancements to NIST SP 800-53 Revision 4 BD Pro The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP 800-53 states: "The proposed changes included in Revision 4
More informationNIST Special Publication
NIST Special Publication 800-53 Practical Application of the Minimum Baseline Security Controls Graydon S. McKee IV CISSP, GSEC A Framework for All Seasons With the finalization of Federal Information
More informationDFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions
DFARS 252.204.7012 Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions By Jonathan Hard, CEO And Carol Claflin, Director of Business Development H2L
More informationBuilding Secure Systems
Building Secure Systems Antony Selim, CISSP, P.E. Cyber Security and Enterprise Security Architecture 13 November 2015 Copyright 2015 Raytheon Company. All rights reserved. Customer Success Is Our Mission
More informationSafeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)
Page 1 of 7 Section O Attach 2: SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013) 252.204-7012 Safeguarding of Unclassified Controlled Technical Information. As prescribed in 204.7303,
More informationIASM Support for FISMA
Introduction Most U.S. civilian government agencies, and commercial enterprises processing electronic data on behalf of those agencies, are concerned about whether and how Information Assurance products
More informationInformation Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events
Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events Location: Need the right URL for this document https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/detect/ndcbf_i
More informationSecurity Standards Compliance NIST SP Release 4 Trend Micro Products (Deep Security and SecureCloud) - Version 1.1
Security Standards Compliance NIST SP 800-53 Release 4 Trend Micro Products (Deep Security and SecureCloud) - Version 1.1 Document TMIC-003-N Version 1.1, 24 August 2012 1 Security and Privacy Controls
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity November 2017 cyberframework@nist.gov Supporting Risk Management with Framework 2 Core: A Common Language Foundational for Integrated Teams
More informationCompliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations
VARONIS COMPLIANCE BRIEF NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) 800-53 FOR FEDERAL INFORMATION SYSTEMS CONTENTS OVERVIEW 3 MAPPING NIST 800-53 CONTROLS TO VARONIS SOLUTIONS 4 2 OVERVIEW
More informationInteragency Advisory Board Meeting Agenda, December 7, 2009
Interagency Advisory Board Meeting Agenda, December 7, 2009 1. Opening Remarks 2. FICAM Segment Architecture & PIV Issuance (Carol Bales, OMB) 3. ABA Working Group on Identity (Tom Smedinghoff) 4. F/ERO
More informationInformation Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC
Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_
More informationFiscal Year 2013 Federal Information Security Management Act Report
U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Fiscal Year 2013 Federal Information Security Management Act Report Status of EPA s Computer Security Program Report. 14-P-0033 vember 26,
More informationLeveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements.
Leveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements. Thomas Chimento Ph.D., CISSP, CCE, CISA Product Manager Webroot Software
More informationDoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to
DoD Guidance for Reviewing System Security Plans and the s Not Yet Implemented This guidance was developed to facilitate the consistent review and understanding of System Security Plans and Plans of Action,
More informationRed Hat Enterprise Linux (RHEL) 5.3 Certified Linux Integration Platform (CLIP) Security Requirements Analysis
Red Hat Enterprise Linux (RHEL) 5.3 Certified Linux Integration Platform (CLIP) Security Requirements Analysis Prepared By: Tresys Technology, LLC March 17, 2009 Table of Contents 1 Introduction... 1 1.1.
More informationInformation Security Risk Strategies. By
Information Security Risk Strategies By Larry.Boettger@Berbee.com Meeting Agenda Challenges Faced By IT Importance of ISO-17799 & NIST The Security Pyramid Benefits of Identifying Risks Dealing or Not
More informationThe Cybersecurity Risk Management Framework Applied to Enterprise Risk Management
The Cybersecurity Risk Management Framework Applied to Enterprise Risk Management Session 43, March 6, 2018 Barry S. Herrin, JD, FAHIMA, FACHE Founder, Herrin Health Law, PC 1 Conflict of Interest Barry
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationAnnex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 1 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls Low Baseline AC-1 ACCESS CONTROL POLICY AND PROCEDURES The organization
More informationFederal Information Security Management Act (FISMA) Operational Controls and Their Relationship to Process Maturity
Federal Information Security Management Act (FISMA) Operational Controls and Their Relationship to Process Maturity Ronda Henning rhenning@harris.com The Basic Premise of This Presentation Proper preparation
More informationAnnex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 3 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls High Baseline Includes updates through 04-22-2005 AC-1 ACCESS CONTROL
More informationInternational Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management. Frequently Asked Questions
November 2002 International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management Introduction Frequently Asked Questions The National Institute of Standards and Technology s
More informationHITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.
HITRUST CSF Assurance Program HITRUST CSF Assurance Program The Need Organizations facing multiple and varied assurance requirements from a variety of parties Increasing pressure and penalties associated
More informationThe HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information
The HITRUST CSF A Revolutionary Way to Protect Electronic Health Information June 2015 The HITRUST CSF 2 Organizations in the healthcare industry are under immense pressure to improve quality, reduce complexity,
More informationEXABEAM HELPS PROTECT INFORMATION SYSTEMS
WHITE PAPER EXABEAM HELPS PROTECT INFORMATION SYSTEMS Meeting the Latest NIST SP 800-53 Revision 4 Guidelines SECURITY GUIDELINE COMPLIANCE There has been a rapid increase in malicious insider threats,
More informationImproving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework
1 Improving Critical Infrastructure Cybersecurity Executive Order 13636 Preliminary Cybersecurity Framework 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
More information10/12/2017 WHAT IS NIST SP & WHY SHOULD I CARE ABOUT IT? OVERVIEW SO, WHAT IS NIST?
WHAT IS NIST SP 800-53 & WHY SHOULD I CARE ABOUT IT? CHRIS JACKSON, STATE OF OHIO, OBM IT AUDIT MANAGER DANIEL MILKS, STATE OF OHIO, OBM SENIOR IT AUDITOR OVERVIEW Background & Understanding Importance
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationTop 10 ICS Cybersecurity Problems Observed in Critical Infrastructure
SESSION ID: SBX1-R07 Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure Bryan Hatton Cyber Security Researcher Idaho National Laboratory In support of DHS ICS-CERT @phaktor 16 Critical
More informationNIST Special Publication
NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Ryan Bonner Brightline WHAT IS INFORMATION SECURITY? Personnel Security
More informationAssurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant
Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework Keith Price Principal Consultant 1 About About me - Specialise in cybersecurity strategy, architecture, and assessment -
More informationFedRAMP: Understanding Agency and Cloud Provider Responsibilities
May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration
More informationNIST SP Controls
NIST SP 800-53 Controls and Netwrix Auditor Mapping www.netwrix.com Toll-free: 888-638-9749 About FISMA / NIST The Federal Information Security Management Act of 2002 (commonly abbreviated to FISMA) is
More informationREAD ME for the Agency ATO Review Template
READ ME for the Agency ATO Review Template Below is the template that the FedRAMP Program Management Office (PMO) uses when reviewing an Agency ATO package. Agencies and CSPs should be cautious to not
More informationCompliance & Security in Azure. April 21, 2018
Compliance & Security in Azure April 21, 2018 Presenter Bio Jeff Gainer, CISSP Senior Information Security & Risk Management Consultant Senior Security Architect Have conducted multiple Third-Party risk
More informationWRITTEN INFORMATION SECURITY PROGRAM (WISP) ACME Business Consulting, Inc.
WRITTEN INFORMATION SECURITY PROGRAM (WISP) ACME Business Consulting, Inc. TABLE OF CONTENTS WRITTEN INFORMATION SECURITY PROGRAM (WISP) OVERVIEW 9 INTRODUCTION 9 PURPOSE 9 SCOPE & APPLICABILITY 10 POLICY
More informationMark Hofman SANS Institute/Shearwater Solutions
Risk and Compliance Mark Hofman SANS Institute/Shearwater Solutions 06 November 2012 The risks we face Agenda How are we compromised o The standards we face Why do they fail? How can they work? What else
More informationFISMA Compliance. with O365 Manager Plus.
FISMA Compliance with O365 Manager Plus www.o365managerplus.com About FISMA The Federal Information Security Management Act (FISMA) is a United States federal law passed in 2002 that made it a requirement
More informationHITRUST CSF: One Framework
HITRUST CSF: One Framework Leveraging the HITRUST CSF to Support ISO, HIPAA, & NIST Implementation and Compliance, and SSAE 16 SOC Reporting Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Senior
More informationChecklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)
Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Member, InfraGard Compliance Mandates Key Regulations
More informationControlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner
Controlled Unclassified Information (CUI) and FISMA: an update May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner What is FISMA? Federal Information Security Modernization Act
More informationRansomware. How to protect yourself?
Ransomware How to protect yourself? ED DUGUID, CISSP, VCP CONSULTANT, WEST CHESTER CONSULTANTS Ransomware Ransomware is a type of malware that restricts access to the infected computer system in some way,
More informationRev.1 Solution Brief
FISMA-NIST SP 800-171 Rev.1 Solution Brief New York FISMA Cybersecurity NIST SP 800-171 EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker delivers business critical
More informationNIST Special Publication
DATASHEET NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations Mapping for Carbon Black BACKGROUND The National Institute of Standards and Technology
More informationCybersecurity & Privacy Enhancements
Business, Industry and Government Cybersecurity & Privacy Enhancements John Lainhart, Director, Grant Thornton The National Institute of Standards and Technology (NIST) is in the process of updating their
More informationNew Guidance on Privacy Controls for the Federal Government
New Guidance on Privacy Controls for the Federal Government IAPP Global Privacy Summit 2012 March 9, 2012 Dr. Ron Ross Computer Security Division, NIST Martha Landesberg, J.D., CIPP/US The Privacy Office,
More informationDavid Missouri VP- Governance ISACA
David Missouri VP- Governance ISACA Present-Senior Agency Information Security Officer (SAISO) @GA DJJ 2012-2016 Information System Security Officer (ISSO) @ US DOL WHD 2011-2012 Network Administrator
More informationISACA Arizona May 2016 Chapter Meeting
ISACA Arizona May 2016 Chapter Meeting Suzanne Farr / Carlos A. Villalba Agenda Introduction Preliminary questions CCM Preliminaries Definition Benefits Challenges Beyond Templates Questions 1 Background
More informationExecutive Order 13556
Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program
More informationCyber Security Standards Developments
INTERNATIONAL ELECTROTECHNICAL COMMISSION Cyber Security Standards Developments Bart de Wijs Head of Cyber Security Power Grids Division ABB b.v. Frédéric Buchi Sales&Consulting Cyber Security Siemens
More informationBuilding More Secure Information Systems
Building More Secure Information Systems A Strategy for Effectively Managing Enterprise Risk Dr. Ron Ross Computer Security Division Information Technology Laboratory 1 Why Standardization? Security Visibility
More informationDOT/DHS: Joint Agency Work on Vehicle Cyber Security
DOT/DHS: Joint Agency Work on Vehicle Cyber Security Principal Investigator (PI): Kevin Harnett DOT-Volpe Center s Advanced Vehicle Technology Division August 16, 2017 The National Transportation Systems
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS IA Policies, Procedures, The Information Assurance (IA) Policies, Procedures, encompasses existing policies, procedures,
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Network Mapping The Network Mapping helps visualize the network and understand relationships and connectivity between
More informationInformation Technology Branch Organization of Cyber Security Technical Standard
Information Technology Branch Organization of Cyber Security Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 1 November 20, 2014 Approved:
More informationCompliance with NIST
Compliance with NIST 800-171 1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments What is NIST? NIST (National
More informationSecurity and Privacy Controls for Federal Information Systems and Organizations Appendix F
NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations Appendix F NOTE: THIS DOCUMENT PROVIDES A MARKUP OF CHANGES MADE TO SP 800-53,
More informationCOMPLIANCE IN THE CLOUD
COMPLIANCE IN THE CLOUD 3:45-4:30PM Scott Edwards, President, Summit 7 Dave Harris Society for International Affairs COMPLIANCE IN THE CLOUD Scott Edwards scott.edwards@summit7systems.com 256-541-9638
More informationIncreasing Security Guidelines Framework Efficiency
Increasing Guidelines Framework Efficiency Yury Chemerkin Russian State University for the Humanities (RSUH), Moscow, Russia Abstract There are many security guidelines, standards and best practices are
More informationHow To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation
How To Establish A Compliance Program Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda High level requirements A written program A sample structure Elements of the program Create
More informationTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Treasury Inspector General for Tax Administration Federal Information Security Management Act November 10, 2010 Reference Number: 2011-20-003 This report
More informationNIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF) Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical solutions that transform high-volume cryptic log data into actionable, prioritized
More informationFramework for Improving Critical Infrastructure Cybersecurity
1 Framework for Improving Critical Infrastructure Cybersecurity Standards Certification Education & Training Publishing Conferences & Exhibits Dean Bickerton ISA New Orleans April 5, 2016 A Brief Commercial
More informationBYOD. Transformation. Joe Leonard Director, Secure Networks. April 3, 2013
BYOD Transformation April 3, 2013 Joe Leonard Director, Secure Networks Agenda Joe Leonard Introduction CIO Top 10 Tech Priorities What is BYOD? BYOD Trends BYOD Threats Security Best Practices HIPAA Security
More informationCONTINUOUS VIGILANCE POLICY
CONTINUOUS VIGILANCE POLICY Policy: Policy Owner: Continuous Vigilance CIO Change Management Original Implementation Date: 8/30/2017 Effectie Date: 8/30/2017 Reision Date: Approed By: NIST Cyber Security
More informationCrown Jewels Risk Assessment: Cost- Effective Risk Identification
SESSION ID: GRC-W11 Crown Jewels Risk Assessment: Cost- Effective Risk Identification Douglas J. Landoll, CISSP, MBA, ISSA Distinguished Fellow CEO Lantego @douglandoll Information Security Risk Assessment
More informationStreamlined FISMA Compliance For Hosted Information Systems
Streamlined FISMA Compliance For Hosted Information Systems Faster Certification and Accreditation at a Reduced Cost IT-CNP, INC. WWW.GOVDATAHOSTING.COM WHITEPAPER :: Executive Summary Federal, State and
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More informationNW NATURAL CYBER SECURITY 2016.JUNE.16
NW NATURAL CYBER SECURITY 2016.JUNE.16 ADOPTED CYBER SECURITY FRAMEWORKS CYBER SECURITY TESTING SCADA TRANSPORT SECURITY AID AGREEMENTS CONCLUSION QUESTIONS ADOPTED CYBER SECURITY FRAMEWORKS THE FOLLOWING
More informationHITRUST CSF Updates: How v10 and MyCSF 2.0 Improve Your HITRUST Experience. Michael Frederick, HITRUST VP Operations Ken Vander Wal, HITRUST CCO
HITRUST CSF Updates: How v10 and MyCSF 2.0 Improve Your HITRUST Experience Michael Frederick, HITRUST VP Operations Ken Vander Wal, HITRUST CCO Topics 1. HITRUST s Approach to CSF v10 2. Changes to the
More informationRisk-Based Cyber Security for the 21 st Century
Risk-Based Cyber Security for the 21 st Century 7 th Securing the E-Campus Dartmouth College July 16, 2013 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF
More informationTop Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk
Top Reasons To Audit An IAM Program Bryan Cook Focal Point Data Risk Focal Point Data Risk A New Type of Risk Management Firm THE FACTS Born from the merger of three leading security & risk management
More information