• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Achieving Compliance Through Security
 

Achieving Compliance Through Security

on

  • 275 views

Presented by Patrick Miller, The Anfield Group and Jason Ile, Tripwire ...

Presented by Patrick Miller, The Anfield Group and Jason Ile, Tripwire

Abstract: This presentation emphasis the importance of building an environment where compliance is a natural byproduct of effective security controls. The presenters discuss how to establish info security controls that reinforce a culture of controls, by being plugged into the daily operational processes of IT operations, software and service development, project management and Internal audit.

Additional, the presenters explore the various benefits of continuous monitoring and how to achieve it through a step-by-step practice.

Statistics

Views

Total Views
275
Views on SlideShare
275
Embed Views
0

Actions

Likes
0
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Achieving Compliance Through Security Achieving Compliance Through Security Presentation Transcript

    • Achieving Compliance Through Security Jason Iler – Tripwire Patrick Miller – The Anfield Group
    • THEAUDIT BLAME CYCLE 2
    • 3 “Boss, We Are Ready For The Upcoming Audits…”
    • 4 “OMG. The Auditors Are Coming When?!?”
    • 5 IT Operations Not Quite As Ready As They Thought…
    • 6 Infosec Must Do Heroics Generating Reports and Presentations from scratch
    • 7 Despite Heroics, The Business Still Fails The Audit…
    • 8 …Infosec Can’t Say, ‘I Told You So’
    • 9 …And Has To Be The Professional Apologist
    • 10 Problems: The Real Business Cost ®  Scheduled value-adding work and projects are delayed because of all the urgent and unplanned audit prep work ®  Business continues to implement controls as a part of a one-time audit preparation project to achieve compliance, with little thought on how to maintain compliance over time ®  Next time requires just as much effort, instead of integrating controls into daily business and IT operational processes ®  The business starts treating audit prep as a legitimate value- adding project, even charging time against it ®  Multiple regulatory and contractual requirements result in IT controls being tested numerous times by numerous parties, requiring management to perform work multiple times
    • 11 Security And Compliance Already Don’t Get Along Compliance Hinders Security… §  Creates bureaucracy §  Imposed processes hinder rapid responses to security threats §  Focuses on ‘checking the box’ §  Does not respond quickly to changes in technology §  Consumes resources/budget that might otherwise be invested in security controls Words often used to describe both disciplines: “hysterical, irrelevant, bureaucratic, bottleneck, difficult to understand, not aligned with the business, immature, shrill, perpetually focused on irrelevant technical minutiae…” Security Hinders Compliance… §  Activities difficult to measure/track §  Notoriously poor at documenting §  Can focus on ‘high profile’ threats and ignore more common risks (e.g. default passwords)
    • 12 The Goal ®  Build an environment where compliance is a natural byproduct of effective security controls ®  Establish info security controls that reinforce a culture of controls, by being plugged into the daily operational processes of… ®  IT operations ®  Software and service development ®  Project management ®  Internal audit
    • CONTINUOUS MONITORING
    • 14 " Enables dynamic security to respond to evolving threats " Provides details of your information systems §  Make risk based decisions §  Take control and remain in control of your infrastructure Spirit of Continuous Monitoring " Provides continuous input to the C&A process " Moves the focus back to Security
    • 15 Step 4: Detailed Reporting Step 3: Determine Monitoring Frequency Step 1: Categorize Assets Step 2: Determine Risk Threshold How To Achieve Continuous Monitoring?
    • 16 Step 1: Categorize Assets ®  Establish relative value of Assets ®  High, Medium, Lower impact ®  DMZ, EMS, Processing, etc ®  Categorize logically and by criticality ®  Benefits of Categorization ®  Easier to make risk-based decisions ®  Risks are easier to determine knowing the business the asset supports ®  Enables rapid triage during incident response Categorize Assets
    • 17 Step 2: Determine Risk Threshold ®  Identify and select your scoring systems ®  OCTAVE, CAESARS, iPOST, iRAMP, etc. ®  Set appropriate thresholds to policies and assign weights to control checks ®  Example of Policy Thresholds ®  < 50% Do Not Operate ®  < 75% System should go through preplanning ®  < 90% Operational ®  Test and control weights need to be set ®  Weights affect the Risk scoring ®  Examples: ®  HIGH – Administrator set to blank or default password ®  LOW – Users are part of a remote desktop group Determine Risk Threshold
    • 18 Step 3: Determine Monitoring Frequency ®  Start with your Policy ®  Determine frequency of monitoring ®  System-level Frequency ®  Security Control-level Frequency ®  Application-level Frequency ®  Determine the frequency by function and risk associated with each system and security control Determine Monitoring Frequency
    • 19 Step 4: Provide Detailed Reports ®  Provide valuable input to Ops and Security teams ®  Incident Response ®  Security Alerts ®  Change and Compliance metrics ®  Use the intelligent data feeds to make accurate risk based decisions ®  Create feedback loop to adapt and improve security and risk posture ®  Construct reports that have both operational and audit-evidence value Provide Detailed Reports
    • 20 Benefits of This Approach ®  Leverages automation to reduce time & effort for audit and oversight ®  Provides assurance that controls are implemented properly and stay that way ®  Enables accountability for proper results ®  Provides objective data for gap analysis, remediation planning, and budget priorities ®  Enables benchmarking across entities
    • 21 What and How Should I Measure? ®  Leverage existing work ®  CAESARS ®  Continuous Asset Evaluation, Situational Awareness, and Risk Scoring ®  www.dhs.gov/xlibrary/assets/fns-caesars.pdf ®  iPOST – Guidance on Continuous Monitoring and Risk Scoring model used in Department of State ®  www.cio.ca.gov/OIS/Government/events/documents/Scoring_Guide.doc
    • 22 Other Metrics Examples ®  Configuration Quality: ®  % of configurations compliant with target security standards (risk-aligned) ®  e.g. > 95% in High; > 75% in Medium ®  number of unauthorized changes with security impact (by area) ®  patch compliance by target area based on risk level ®  e.g. % of systems patched within 72 hours for High; within 1 week for Medium ®  Control effectiveness: ®  % of incidents detected by an automated control ®  % of incidents resulting in loss ®  mean time to discover security incidents ®  % of changes that follow change process
    • 23 Report On Status & Progress vs. Goals
    • 24 Focus At A Higher Level
    • 25 Summary ®  Continuous Monitoring is not a “checkbox activity” ®  Continuous Monitoring is an integral part of effective Security and Risk Management ®  Continuous Monitoring is adaptable to enable you to focus on the highest risk first
    • 26 Continuous Monitoring is about….. Risk Management Empowering Strengthening Reducing Decision Making Leadership to make educated decisions The Control Environment Resources spent on annual IT Audits Actionable Alerts to focus resources and respond
    • tripwire.com | @TripwireInc THANK YOU JASON ILER – TRIPWIRE PATRICK MILLER – THE ANFIELD GROUP