Four Deadly Traps of Using Frameworks NIST Examples

Similar documents
MINIMUM SECURITY CONTROLS SUMMARY

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

SAC PA Security Frameworks - FISMA and NIST

Using Metrics to Gain Management Support for Cyber Security Initiatives

Evolving Cybersecurity Strategies

ENTS 650 Network Security. Dr. Edward Schneider

CloudCheckr NIST Audit and Accountability

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Security Control Mapping of CJIS Security Policy Version 5.3 Requirements to NIST Special Publication Revision 4 4/1/2015

CSAM Support for C&A Transformation

NIST SP , Revision 1 CNSS Instruction 1253

Big Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation

Because Security Gives Us Freedom

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

ACHIEVING COMPLIANCE WITH NIST SP REV. 4:

Using ACR 2 Reports. 4. Deficiency.pdf - a cross listing of missing or underperforming safeguards with risk categories for this system at this time.

Attachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan

SYSTEMS ASSET MANAGEMENT POLICY

Recommended Security Controls for Federal Information Systems and Organizations

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3

The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:

NIST Special Publication

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Building Secure Systems

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

IASM Support for FISMA

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

Security Standards Compliance NIST SP Release 4 Trend Micro Products (Deep Security and SecureCloud) - Version 1.1

Security Management Models And Practices Feb 5, 2008

Framework for Improving Critical Infrastructure Cybersecurity

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

Interagency Advisory Board Meeting Agenda, December 7, 2009

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Fiscal Year 2013 Federal Information Security Management Act Report

Leveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements.

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to

Red Hat Enterprise Linux (RHEL) 5.3 Certified Linux Integration Platform (CLIP) Security Requirements Analysis

Information Security Risk Strategies. By

The Cybersecurity Risk Management Framework Applied to Enterprise Risk Management

TEL2813/IS2820 Security Management

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Annex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Federal Information Security Management Act (FISMA) Operational Controls and Their Relationship to Process Maturity

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management. Frequently Asked Questions

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

10/12/2017 WHAT IS NIST SP & WHY SHOULD I CARE ABOUT IT? OVERVIEW SO, WHAT IS NIST?

INFORMATION ASSURANCE DIRECTORATE

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

NIST Special Publication

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

NIST SP Controls

READ ME for the Agency ATO Review Template

Compliance & Security in Azure. April 21, 2018

WRITTEN INFORMATION SECURITY PROGRAM (WISP) ACME Business Consulting, Inc.

Mark Hofman SANS Institute/Shearwater Solutions

FISMA Compliance. with O365 Manager Plus.

HITRUST CSF: One Framework

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

Ransomware. How to protect yourself?

Rev.1 Solution Brief

NIST Special Publication

Cybersecurity & Privacy Enhancements

New Guidance on Privacy Controls for the Federal Government

David Missouri VP- Governance ISACA

ISACA Arizona May 2016 Chapter Meeting

Executive Order 13556

Cyber Security Standards Developments

Building More Secure Information Systems

DOT/DHS: Joint Agency Work on Vehicle Cyber Security

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE

Information Technology Branch Organization of Cyber Security Technical Standard

Compliance with NIST

Security and Privacy Controls for Federal Information Systems and Organizations Appendix F

COMPLIANCE IN THE CLOUD

Increasing Security Guidelines Framework Efficiency

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

NIST Risk Management Framework (RMF)

Framework for Improving Critical Infrastructure Cybersecurity

BYOD. Transformation. Joe Leonard Director, Secure Networks. April 3, 2013

CONTINUOUS VIGILANCE POLICY

Crown Jewels Risk Assessment: Cost- Effective Risk Identification

Streamlined FISMA Compliance For Hosted Information Systems

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

NW NATURAL CYBER SECURITY 2016.JUNE.16

HITRUST CSF Updates: How v10 and MyCSF 2.0 Improve Your HITRUST Experience. Michael Frederick, HITRUST VP Operations Ken Vander Wal, HITRUST CCO

Risk-Based Cyber Security for the 21 st Century

Top Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk

Transcription:

Four Deadly Traps of Using Frameworks NIST 800-53 Examples ISACA Feb. 2015 Meeting Doug Landoll dlandoll@lantego.com (512) 633-8405

Session Agenda Framework Definition & Uses NIST 800-53 Framework Intro & Uses Four Traps of Frameworks Conclusion

Framework Definition Framework skeletal structure designed to support something. Security Frameworks structure to help organize and prioritize information security programs.

Security Framework Uses Structure Organization for the creation or review of an information security program Reference Connection with other frameworks, standards, and requirements. Completeness Thorough treatment of security controls

NIST 800-53 Intro: FISMA Five FIPS Pub 199: Security Categorization System: Low, Moderate, or High How to audit controls NIST 800-53A: Techniques for Verifying Effectiveness FIPS Pub 200: Minimum Security Controls 18 Control Families 800+ security controls NIST 800-53: Recommended Security Controls NIST 800-37: Guide for C&A Certification & Accreditation Process

SP 800-53 Catalog of Controls Organized and structured set of security controls 18 Security Control Families ID FAMILY ID FAMILY AC Access Control MP Media Protection AT Awareness and Training PE Physical and Environmental Protection AU Audit and Accountability PL Planning CA Security Assessment an Authorization PS Personnel Security CM Configuration Management RA Risk Assessment CP Contingency Planning SA System and Services Acquisition IA Identification and Authentication SC System and Communications Protection IR Incident Response SI System and Information Integrity MA Maintenance PM Program Management*

Control Ref. # and Name Control Section Supplemental Guidance SP 800-53 Control Structure Security Control Structure Control Enhancements References Priority & Baseline Allocation

Control Reference & Name Within each security control family are a number of security controls. These security controls are numbered. Ref. AU-1 AU-2 AU-3 AU-4 AU-5 AU-6 AU-7 AU-8 AU-9 Audit and Accountability Policy and Procedures Audit Events Content of Audit Records Audit Storage Capacity Response to Audit Processing Failures Audit Review, Analysis, and Reporting Audit Reduction and Report Generation Time Stamps Protection of Audit Information

Control Section Each security control is describes as a requirement. Control: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

Supplemental Guidance Supplemental guidance provides non-prescriptive additional information to guide the definition, development, and implementation of the security control. Operational considerations Mission/business considerations Risk assessment information. Supplemental Guidance: Audit record content that may be necessary to satisfy the requirement of this control includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI- 11.

Control Enhancements Control enhancements provide statements of security capability to: Add function/specificity to the control, or Increase the strength of the control. Control Enhancements: (1) CONTENT OF AUDIT RECORDS ADDITIONAL AUDIT INFORMATION The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. (2) CONTENT OF AUDIT RECORDS CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].

References References section includes a list of applicable documents relevant to the security control: federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines

Priority & Baseline Allocation Priority provides guidance for sequencing decisions Baseline Allocation starting point for the security control selection process based on system categorization (Low, Moderate, High) LOW MOD HIGH

Control Assignment Controls may be augmented through assignment and selection options within control statements. Assignment: Organizationally defined AU-2 AUDIT EVENTS 800-53 The organization: (3) AUDIT EVENT REVIEWS AND UPDATES The organization reviews and updates the audited events [Assignment: organization-defined frequency]. Example

Control Selection Controls may be augmented through assignment and selection options within control statements. Selection: Organizationally defined IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION 800-53 Control: The information system uniquely identifies and authenticates [Assignment: organizational defined specific and/or types of devices] before establishing a [Selection (one or more): local, remote, network] connection. Example

NIST: Security Controls: Risk-based Process An organizational risk assessment validates the initial security control selection and determines if additional controls are needed. Example: System categorization (Standard Protected) determines initial security control selection. Organizational System risk assessment provides rationale for additional, compensating, or deleted security controls from initial selection.

Framework Uses: NIST 800-53 Example Structure 18 Security Control Families Reference Includes crosswalks to ISO27001 & CC CC -> 800-53; 800-53 -> CC ISO 27001 -> 800-53; 800-53 -> ISO 27001 Completeness Organizational, Management and Technical Controls

Example Policies Based on 800-53 Framework Policy # Policy Name Policy # Policy Name P8110 Data Classification P8310 Account Management P8120 Information Security Program P8320 Access Control P8130 System Security Acquisition P8330 System Security Audit P8210 Security Awareness Training and Education P8340 Identification and Authentication P8220 System Security Maintenance P8350 System and Communication Protection P8230 Contingency Planning P8410 System Privacy P8240 P8250 P8260 P8270 P9280 Incident Response Planning Media Protection Physical Protections Personnel Security Control Acceptable Use

Four Framework Traps 1. False Frameworks 2. Compliance via Assertion 3. Tailoring by Judgment 4. One and Done

False Frameworks Regulations and Standards not Frameworks: Incomplete and focus solely on specific data and security policies HIPAA PCI DSS Industry Best Practices No available references, not industry recognized, likely incomplete and not structured. AKA: Our own secret sauce Smoke and Mirrors

Compliance via Assertion Embracing a Framework is step one. Next Steps Interpret Apply Assess Address gaps

Tailoring by Judgment Frameworks are tailorable through an exception process or a risk based process. Tailoring based on gaps, judgment, and cost limits the benefits of a framework

One and Done A security program based on a framework will require maintenance Frameworks get updates ISO 27001/2: Updated Sept 2013 NIST 800-53: Updated April 2013 COBIT 5: Updated 2012 Other Updates References, Mappings, Business & Customer Requirements Reassess regularly

Conclusions Determine appropriate framework for the business Add requirements (these are not frameworks) Embrace the framework and its tailoring process Beware framework traps It s just a framework there is a lot more work to do.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback