Control Assessments
An Asset-Based Methodology


                             Copyright 2009 SCIF Software, Inc. Released ...
Security Axiom

✤   Security is achieved by applying relevant controls to assets in scope

    ✤   Therefore, security eva...
Asset Types

✤   Business Assets                     ✤     Technical Assets

    ✤   Locations                       ✤    ...
Asset Classification

✤   Not all like-assets are equal

     While the security controls possible for all devices are the ...
Asset Classification (Continued)




✤   The firewalls serve as access points to networks

✤   The Web Server and DB Server ...
Asset Profile Introduction
✤   Asset Profile purpose:

    ✤   Associate regulatory requirements to assets that must comply
...
Asset Profile

✤   Type of asset that meets requirements for specified security posture

✤   Examples:

    ✤   NPPI Reposit...
Asset Profile Controls


                Control                   NPPI Repository             NPPI Workstation          Po...
Asset Profile Assets




               Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution ...
Asset Profile Assessment

✤   Question-based evaluation of assets to determine scope

    ✤   Simple

    ✤   Intuitive

  ...
Scope Assessment Example #1

✤   Automated system or application receives communication from
    network outside the contr...
Scope Assessment Example #1a

✤   Automated system or application centrally processes or permanently
    stores:

    ✤   ...
Scope Assessment Example #2

✤   Automated system or application is used to access:

    ✤   < 100 ACME NPPI Records

    ...
Assessment Questionnaires

✤   One Questionnaire for each Asset Profile

    ✤   Contains controls deemed relevant for each...
Questionnaire Format
      Control Family        Reference                                                      Question T...
Control Assessment Framework

✤   Compliance Charter:

    ✤   Who must comply

    ✤   Why compliance is required

    ✤ ...
Control Assessment Framework

✤   Control Catalog:
                                                                       ...
Compliance Charter


                    WHO
✤   Documents the compliance programs:

      ✤   Purpose

      ✤   Scope

 ...
Security Standard



    WHAT
✤   Provides high-level guidance for security

    ✤   May be tailored to:

        ✤   Info...
Control Catalog

✤   Based on industry guidance

    ✤   NIST SP 800-53

    ✤   ISO 27002

✤   Contains controls for all ...
Compliance Map

✤   Combined to create Security Questionnaires for each Asset Profile

✤   Each control must be answered:

...
Review Process




                 Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0...
Upcoming SlideShare
Loading in …5
×

Asset Based Compilance Assessment

613 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
613
On SlideShare
0
From Embeds
0
Number of Embeds
56
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide






















  • Asset Based Compilance Assessment

    1. 1. Control Assessments An Asset-Based Methodology Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    2. 2. Security Axiom ✤ Security is achieved by applying relevant controls to assets in scope ✤ Therefore, security evaluations evaluate the controls applied to the assets, whether the assets are documented or not ✤ A compliance program may be focused on: specific information; business processes; services provided; or industry; however, the security controls implemented do not change based on the focus of the compliance program Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    3. 3. Asset Types ✤ Business Assets ✤ Technical Assets ✤ Locations ✤ Applications ✤ Information ✤ Connections ✤ Organizations ✤ Devices ✤ Personnel ✤ Networks ✤ Proprietary Code Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    4. 4. Asset Classification ✤ Not all like-assets are equal While the security controls possible for all devices are the same ... ... the security controls required may not be... ... depending on the purpose or other attributes of the device ✤ The same principle applies to all other asset types as well Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    5. 5. Asset Classification (Continued) ✤ The firewalls serve as access points to networks ✤ The Web Server and DB Server are part of an N-Tier application infrastructure that centrally provides access to significant NPPI ✤ The Desktops and Laptop are used to access limited NPPI records Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    6. 6. Asset Profile Introduction ✤ Asset Profile purpose: ✤ Associate regulatory requirements to assets that must comply ✤ Associate security controls that can/must be used to implement compliance Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    7. 7. Asset Profile ✤ Type of asset that meets requirements for specified security posture ✤ Examples: ✤ NPPI Repository Server ✤ NPPI Network Access Point ✤ NPPI Workstation ✤ Person with Access to NPPI ✤ NPPI Repository Network ✤ NPPI Repository Application ✤ NPPI Facility ✤ NPPI Data Center Room Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    8. 8. Asset Profile Controls Control NPPI Repository NPPI Workstation Portable NPPI Workstation Authentication Mechanism Two Factor Username and Password Username and Password Must be in Data Center Required Not Required Not Required Hard Disk Encryption Required Not Required Required Redundant Power Required Not Required Not Required Backup Frequency Daily None None Must be on Protected Network Required Not Required Not Required Content Filtering Enabled Required Required Required Critical Patch Installation Within 15 Days Within 30 Days Within 30 Days Disable USB Ports Required Required Required 24 X 7 Aggregation and 24 X 7 Aggregation and 24 X 7 Aggregation and Log Review Correlation w/ Human Review Correlation Correlation Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    9. 9. Asset Profile Assets Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    10. 10. Asset Profile Assessment ✤ Question-based evaluation of assets to determine scope ✤ Simple ✤ Intuitive ✤ Understandable ✤ Have True/False or Multiple Choice Answers Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    11. 11. Scope Assessment Example #1 ✤ Automated system or application receives communication from network outside the control of the third-party and contains: ✤ ACME NPPI Records ✤ ACME Restricted or Security Critical Information ✤ Resultant Scope: ✤ ACME Data Repository Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    12. 12. Scope Assessment Example #1a ✤ Automated system or application centrally processes or permanently stores: ✤ > 100 ACME NPPI Records ✤ > 500 Non-NPPI ACME Customer-Related Data Records ✤ ACME Restricted or Security Critical Information ✤ Resultant Scope: ✤ ACME Data Repository Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    13. 13. Scope Assessment Example #2 ✤ Automated system or application is used to access: ✤ < 100 ACME NPPI Records ✤ < 500 Non-NPPI ACME Customer-Related Data ✤ ACME Internal or Confidential Information ✤ Resultant Scope: ✤ ACME Data Workstation Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    14. 14. Assessment Questionnaires ✤ One Questionnaire for each Asset Profile ✤ Contains controls deemed relevant for each asset-type/Asset Profile combination ✤ Granularly focuses questions for a specific asset or group of assets within scope ✤ Increases efficiency and effectiveness of audit program Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    15. 15. Questionnaire Format Control Family Reference Question Text Yes/No/NA/TI Authentication Management 2 The information system uniquely identifies and authenticates users (or processes acting on behalf of users). Authentication Management 2.1 Authentication of user identities is accomplished through approved mechanisms. Authentication Management 2.1.1 Authentication of user identities is accomplished through the use of usernames and passwords. Authentication Management 2.1.2 Authentication of user identities is accomplished through the use of usernames and biometric devices. Authentication Management 2.1.3 Authentication of user identities is accomplished through the use of usernames and tokens. Authentication Management 2.1.4 Authentication of user identities is accomplished through the use of digital certificates. Authentication Management 2.1.5 Authentication of user identities is accomplished through the use of multi-factor authentication. Authentication Management 2.2 FIPS 201 and Special Publications 800-73 and 800-76 guidance regarding personal identity verification (PIV) card token for use in the unique identification and authentication of federal employees and contractors is followed. Authentication Management 2.3 NIST Special Publication 800-63 guidance on remote electronic authentication is followed. Authentication Management 2.4 User identification and authentication within a specified security perimeter follows NIST SP 800-63 guidance. Authentication Management 3 The information system identifies and authenticates specific devices before establishing a connection. Authentication Management 3.1 The information system uses pre-defined mechanisms to identify and authenticate devices on local and/or wide area networks. Authentication Management 3.1.1 The information system uses shared known information (e.g., Media Access Control (MAC) or Transmission Control Program/Internet Protocol (TCP/IP) addresses) to identify and authenticate devices on local and/or wide area networks. Authentication Management 3.1.2 The information system uses an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol (EAP) or a Radius server with EAP-Transport Layer Security (TLS) authentication) to identify and authenticate devices on local and/or wide area networks. Authentication Management 4 The organization manages user identifiers. Authentication Management 4.1 The organization manages user identifiers by uniquely identifying each user. Authentication Management 4.2 The organization manages user identifiers by verifying the identity of each user. Authentication Management 4.3 The organization manages user identifiers by receiving authorization to issue a user identifier from an appropriate organization official. Authentication Management 4.5 The organization manages user identifiers by disabling user identifier after a pre-defined time period of inactivity. Authentication Management 4.5.1 The organization manages user identifiers by disabling user identifier after 6 months of inactivity. Authentication Management 4.5.2 The organization manages user identifiers by disabling user identifier after 3 months of inactivity. Authentication Management 4.6 The organization manages user identifiers by archiving user identifiers. Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    16. 16. Control Assessment Framework ✤ Compliance Charter: ✤ Who must comply ✤ Why compliance is required ✤ When compliance must be achieved ✤ Security Standard: ✤ Where compliance is applicable (which assets or Scopes) ✤ What must be done (high level) Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    17. 17. Control Assessment Framework ✤ Control Catalog: Asset Profile Map ✤ List of security controls that may be used to secure assets ✤ Compliance Map: ✤ Intersection of Security Standard and Security Control within the context of a Asset Profile ✤ How compliance is achieved Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    18. 18. Compliance Charter WHO ✤ Documents the compliance programs: ✤ Purpose ✤ Scope ✤ Governance WHY WHEN Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    19. 19. Security Standard WHAT ✤ Provides high-level guidance for security ✤ May be tailored to: ✤ Information ✤ Business Process Supported WHERE ✤ Services Provided ✤ Industry Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    20. 20. Control Catalog ✤ Based on industry guidance ✤ NIST SP 800-53 ✤ ISO 27002 ✤ Contains controls for all asset-types ✤ Controls organized by family/domain ✤ Allows granular documentation of appropriate security postures Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    21. 21. Compliance Map ✤ Combined to create Security Questionnaires for each Asset Profile ✤ Each control must be answered: HOW ✤ Yes (Control is in place) ✤ No (Control is not in place) ✤ NA (Control is Not Applicable, provide justification) ✤ TI (Control is Technically Infeasible, provide documentation) Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
    22. 22. Review Process Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License

    ×