Tips for Passing an Audit or Assessment

Similar documents
Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

K12 Cybersecurity Roadmap

Altius IT Policy Collection

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

CyberSecurity: Top 20 Controls

CIS Controls Measures and Metrics for Version 7

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Payment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard

CIS Controls Measures and Metrics for Version 7

ISE North America Leadership Summit and Awards

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Cloud Transformation Program Cloud Change Champions June 20, 2018

Navigate IT Security with a Framework as Your Guide

HIPAA SECURITY RISK ASSESSMENT

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

SECURITY PRACTICES OVERVIEW

Cybersecurity Today Avoid Becoming a News Headline

Security+ SY0-501 Study Guide Table of Contents

Art of Performing Risk Assessments

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Cyber security tips and self-assessment for business

Designing Secure Remote Access Solutions for Substations

IPM Secure Hardening Guidelines

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Ingram Micro Cyber Security Portfolio

Cybersecurity Auditing in an Unsecure World

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

SECURITY & PRIVACY DOCUMENTATION

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

PROTECTING INFORMATION ASSETS NETWORK SECURITY

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

The Evolution of Data Center Security, Risk and Compliance

Personal Physical Security

Total Security Management PCI DSS Compliance Guide

Vendor Security Questionnaire

Compliance & Security in Azure. April 21, 2018

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

Technology Security Failures Common security parameters neglected. Presented by: Tod Ferran

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Dan Lobb CRISC Lisa Gable CISM Katie Friebus

Layer Security White Paper

PCI-DSS EVIDENCE REFERENCE

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

Establishing a Credible Cybersecurity Program. September 2016

How NOT To Get Hacked

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Cloud Security Whitepaper

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

Avoiding an Information Security Mismanagement Program through Fundamentals. Bill Curtis, SynerComm

NOTICE TO ALL PROSPECTIVE RESPONDENTS RFP 18-ITSS/CY. Addendum No. 1 issued September 7, RFI responses are in red bold print

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Exposing The Misuse of The Foundation of Online Security

Cybersecurity Best Practices

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

ISACA Arizona May 2016 Chapter Meeting

Information Governance, the Next Evolution of Privacy and Security

CIS Top 20 #5. Controlled Use of Administrative Privileges

FDIC InTREx What Documentation Are You Expected to Have?

CIS Top 20 #13 Data Protection. Lisa Niles: CISSP, Director of Solutions Integration

50+ Incident Response Preparedness Checklist Items.

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Security Operations & Analytics Services

CompTIA CSA+ Cybersecurity Analyst

THE TRIPWIRE NERC SOLUTION SUITE

Premediation. The Art of Proactive Remediation. Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C.

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Security Diagnostics for IAM

QuickBooks Online Security White Paper July 2017

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Cybersecurity: Achieving Prevailing Practices. Session 229, March 8 Mark W. Dill, Partner and Principal Consultant,

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Cyber Security Requirements for Electronic Safety and Security

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Questions Submitted Barry County Michigan Network Security Audit and Vulnerability Assessment RFP

Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

Education Network Security

Secure Esri Solutions in the AWS Cloud. CJ Moses, AWS Deputy CISO

Security Audit What Why

Segmentation, Compensating Controls and P2PE Summary

PCI DSS Compliance and the Cloud

Getting Started with AWS Security

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Altius IT Policy Collection Compliance and Standards Matrix

How to Use PCI DSS for a Stronger IT Security Posture and Streamline your Compliance Efforts. April 24, 2018

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

10 Things Every Auditor Should Do Before Performing a Security Audit

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

Welcome ControlCase Conference. Kishor Vaswani, CEO

PCI DSS COMPLIANCE 101

Transcription:

Tips for Passing an Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor Senior Security Engineer Structured Communication Systems

Who likes audits?

Compliance Requirements PCI DSS NERC CIP HIPAA FERPA CJIS ISO 27001 FISMA/NIST SP 800-53 SP 800-171 Cybersecurity Framework SOC 1/2/3 GLBA/NCUA SOX CIS 20 CSC

Compliance vs. Security Compliance is the low bar Your security controls can and should go well beyond

The Findings Most common findings on security assessments by our assessors.

Data Inventory What is your sensitive data? Where is it? If it is a person, process or system that transmits, stores, or processes sensitive information, it s in scope

By data security levels Segmentation Encrypt when traversing a lower level PCI using P2PE Micro segmentation, zero trust, private vlans

Asset Inventory Use dynamically updated system All hardware in scope Or manually keep updated with additions and subtractions Track owner, purpose, IP address, name and location if possible

Account Management Run reports for 90 days of inactivity Use expiration Validate month prior Disable on last day Management approval of access

Multi Factor Authentication U2F, push, OTP, For all admin access or access to sensitive information OWA, VPN, cloud Multi factor or multi step Factor independence

Use a SIEM! Not just purchase one All in scope systems Security systems NTP Logging

Change Management Document all changes to configurations Include approvals and roll back plans

Non OS patches JAVA, Flash Patching Network devices End of support = compensating controls

Network Access Control MAC spoofing **DHCP is not a security mechanism

Authorized Software Inventory of applications Whitelist the approved, Blacklist the others Or other form of application control FIM executables, system files, application files

Secure Configurations Use benchmarks for all systems CIS, NIST, STIGS Apply by GPO Build into gold disk

Vulnerability Scans Use authenticated scans Include all in scope assets

Admin Privileges No local admins Even for IT Use separate accounts for admin functions RunAs, Sudo Log/alert everything Added accounts, failed logins, adds to admin group

IoT Don t allow on your network Change admin credentials for everything

USB Storage Don t allow or limit usage Set to auto scan Encrypt on use

Firewalls Only allow authorized ports and protocols Inbound AND outbound Inbound connections to inside network Test segmentation Web content filtering

DLP Decrypt SSL and send to DLP for in scope data types Host based effective for inside threats

Encrypt Sensitive Data In motion and at rest Archive systems Laserfische, e-mail archive flat files Backups

Segmentation Authentication Rogue access points Wireless

Application Development Separate development environment Peer review code OWASP Top 10 WAF

Policies Worse than the audit itself Make sure policy is implemented And followed Don t forget Incident Response Disaster Recovery Business Continuity Plan

Accounting and HR Preparation needs to include these areas Store too much information, never purge anything More fun to audit than IT staff

SSL/TLS and SHA-1 Use TLS 1.1 and 1.2 SSL and TLS 1.0 are weak Still see SHA-1 signed certificates

Map to controls Risk Assessment Reviewed by Senior Management

Penetration Testing Not a vulnerability scan Actual hacking Should be near the end of your preparation task list Pay for social engineering

End User Training Include phishing campaign Real life scenarios Document

Virtual Environment Separate hypervisor and hardware by classification level Validate data, admin, and control planes in SDN Cloud environments

Questions? That s All!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback