SlideShare a Scribd company logo

NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by Doug Landoll

Download as PPTX, PDF
North Texas Chapter of the ISSA
North Texas Chapter of the ISSA

Doug Landoll, CEO, Lantego Four Deadly Traps in Using Information Security Frameworks Frameworks can be used to effectively build or assess information security programs, but applied incorrectly and they effectively mask major program gaps. During this talk, Mr. Landoll will explain the four framework traps and how to avoid them and how to effectively utilize a framework to build or assess an information security program. Mr. Landoll will focus on the NIST 800-53 framework as an example.

Internet
1 of 25
@NTXISSA Four Deadly Traps in Using Information Security Frameworks Doug Landoll CEO Lantego April 25, 2015 www.lantego.com (512) 633-8405 dlandoll@lantego.com
@NTXISSA Session Agenda • Framework Definition & Uses • NIST 800-53 Framework Intro & Uses • Four Traps of Frameworks • Conclusion
@NTXISSA Framework – skeletal structure designed to support something. Security Frameworks – structure to help organize and prioritize information security programs. Framework Definition
@NTXISSA Structure • Organization for the creation or review of an information security program Reference • Connection with other frameworks, standards, and requirements. Completeness • Thorough treatment of security controls Security Framework Uses
@NTXISSA NIST 800-53 Intro: “FISMA Five” FIPS Pub 199: Security Categorization NIST 800-37: Guide for C&A FIPS Pub 200: Minimum Security Controls NIST 800-53: Recommended Security Controls NIST 800-53A: Techniques for Verifying Effectiveness System: Low, Moderate, or High 18 Control Families Certification & Accreditation Process 800+ security controls How to audit controls
@NTXISSA SP 800-53 Catalog of Controls • Organized and structured set of security controls • 18 Security Control Families ID FAMILY ID FAMILY AC Access Control MP Media Protection AT Awareness and Training PE Physical and Environmental Protection AU Audit and Accountability PL Planning CA Security Assessment an Authorization PS Personnel Security CM Configuration Management RA Risk Assessment CP Contingency Planning SA System and Services Acquisition IA Identification and Authentication SC System and Communications Protection IR Incident Response SI System and Information Integrity MA Maintenance PM Program Management*
@NTXISSA SP 800-53 Control Structure • Security Control Structure Control Ref. # and Name Control Section Supplemental Guidance Control Enhancements References Priority & Baseline Allocation
@NTXISSA Control Reference & Name • Within each security control family are a number of security controls. These security controls are numbered. Ref. AU-1 Audit and Accountability Policy and Procedures AU-2 Audit Events AU-3 Content of Audit Records AU-4 Audit Storage Capacity AU-5 Response to Audit Processing Failures AU-6 Audit Review, Analysis, and Reporting AU-7 Audit Reduction and Report Generation AU-8 Time Stamps AU-9 Protection of Audit Information … …
@NTXISSA Control Section • Each security control is describes as a requirement. Control: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
@NTXISSA Supplemental Guidance • Supplemental guidance provides non-prescriptive additional information to guide the definition, development, and implementation of the security control. • Operational considerations • Mission/business considerations • Risk assessment information. Supplemental Guidance: Audit record content that may be necessary to satisfy the requirement of this control includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI- 11.
@NTXISSA Control Enhancements • Control enhancements provide statements of security capability to: • Add function/specificity to the control, or • Increase the strength of the control. Control Enhancements: (1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. (2) CONTENT OF AUDIT RECORDS | CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].
@NTXISSA References • References section includes a list of applicable documents relevant to the security control: • federal laws, • Executive Orders, • directives, • policies, • regulations, • standards, and • guidelines
@NTXISSA Priority & Baseline Allocation • Priority provides guidance for sequencing decisions • Baseline Allocation –starting point for the security control selection process based on system categorization (Low, Moderate, High) MOD HIGHLOW
@NTXISSA Control Assignment • Controls may be augmented through assignment and selection options within control statements. • Assignment: Organizationally defined AU-2 AUDIT EVENTS The organization: … (3) AUDIT EVENT | REVIEWS AND UPDATES The organization reviews and updates the audited events [Assignment: organization-defined frequency]. 800-53 Example
@NTXISSA Control Selection • Controls may be augmented through assignment and selection options within control statements. • Selection: Organizationally defined IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION Control: The information system uniquely identifies and authenticates [Assignment: organizational defined specific and/or types of devices] before establishing a [Selection (one or more): local, remote, network] connection. 800-53 Example
@NTXISSA Security Controls: Risk-based Process • NIST: • An organizational risk assessment validates the initial security control selection and determines if additional controls are needed. • Example: • System categorization (Standard | Protected) determines initial security control selection. • Organizational | System risk assessment provides rationale for additional, compensating, or deleted security controls from initial selection.
@NTXISSA Structure • 18 Security Control Families Reference • Includes crosswalks to ISO27001 & CC • CC -> 800-53; 800-53 -> CC • ISO 27001 -> 800-53; 800-53 -> ISO 27001 Completeness • Organizational, Management and Technical Controls Framework Uses: NIST 800-53 Example
@NTXISSA Policy # Policy Name Policy # Policy Name P8110 Data Classification P8310 Account Management P8120 Information Security Program P8320 Access Control P8130 System Security Acquisition P8330 System Security Audit P8210 Security Awareness Training and Education P8340 Identification and Authentication P8220 System Security Maintenance P8350 System and Communication Protection P8230 Contingency Planning P8410 System Privacy P8240 Incident Response Planning P8250 Media Protection P8260 Physical Protections P8270 Personnel Security Control P9280 Acceptable Use Example Policies Based on 800-53 Framework
@NTXISSA Four Framework Traps 1. False Frameworks 2. Compliance via Assertion 3. Tailoring by Judgment 4. One and Done
@NTXISSA False Frameworks • Regulations and Standards not Frameworks: • Incomplete and focus solely on specific data and security policies • HIPAA • PCI DSS • “Industry Best Practices” • No available references, not industry recognized, likely incomplete and not structured. • AKA: Our own secret sauce • Smoke and Mirrors
@NTXISSA Compliance via Assertion • Embracing a Framework is step one. • Next Steps • Interpret • Apply • Assess • Address gaps
@NTXISSA Tailoring by Judgment • Frameworks are tailorable through an exception process or a risk based process. • Tailoring based on gaps, “judgment”, and cost limits the benefits of a framework
@NTXISSA One and Done • A security program based on a framework will require maintenance • Frameworks get updates • ISO 27001/2: Updated Sept 2013 • NIST 800-53: Updated April 2013 • COBIT 5: Updated 2012 • Other Updates • References, Mappings, Business & Customer Requirements • Reassess regularly
@NTXISSA Conclusions • Determine appropriate framework for the business • Add requirements (these are not frameworks) • Embrace the framework and its tailoring process • Beware framework traps • It’s just a framework – there is a lot more work to do.
@NTXISSA@NTXISSA The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) NTX ISSA Cyber Security Conference – April 24-25, 2015 25 Thank you

Recommended

NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...North Texas Chapter of the ISSA
 
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...North Texas Chapter of the ISSA
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
NTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John WhitedNTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John WhitedNorth Texas Chapter of the ISSA
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesGreenway Health
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNorth Texas Chapter of the ISSA
 

Recommended

NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...North Texas Chapter of the ISSA
 
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...North Texas Chapter of the ISSA
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
NTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John WhitedNTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John WhitedNorth Texas Chapter of the ISSA
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesGreenway Health
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNorth Texas Chapter of the ISSA
 
Tictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security ServicesTictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security ServicesTicTac Data Recovery
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkKevin Fealey
 
Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Anshu Gupta
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protectioncentralohioissa
 
NTXISSACSC2 - Why Lead with Risk? by Doug Landoll
NTXISSACSC2 - Why Lead with Risk? by Doug LandollNTXISSACSC2 - Why Lead with Risk? by Doug Landoll
NTXISSACSC2 - Why Lead with Risk? by Doug LandollNorth Texas Chapter of the ISSA
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...Shah Sheikh
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
 
Security Operations Center
Security Operations CenterSecurity Operations Center
Security Operations CenterMDS CS
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Community IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security PolicyCommunity IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security PolicyCommunity IT Innovators
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityPriyanka Aash
 
Developing an Information Security Roadmap
Developing an Information Security RoadmapDeveloping an Information Security Roadmap
Developing an Information Security RoadmapAustin Songer
 
Cybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationCybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationMonchai Phaichitchan
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017Doug Copley
 
What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813Kinetic Potential
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Cybersecurity Framework - Introduction
Cybersecurity Framework - IntroductionCybersecurity Framework - Introduction
Cybersecurity Framework - IntroductionMuhammad Akbar Yasin
 
Tax Preparers Presentation
Tax Preparers PresentationTax Preparers Presentation
Tax Preparers PresentationDoug Landoll
 
Mnescot controls monitoring
Mnescot controls monitoringMnescot controls monitoring
Mnescot controls monitoringmnescot
 

More Related Content

What's hot

Tictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security ServicesTictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security ServicesTicTac Data Recovery
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkKevin Fealey
 
Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Anshu Gupta
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protectioncentralohioissa
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...Shah Sheikh
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
 
Security Operations Center
Security Operations CenterSecurity Operations Center
Security Operations CenterMDS CS
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Community IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security PolicyCommunity IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security PolicyCommunity IT Innovators
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityPriyanka Aash
 
Developing an Information Security Roadmap
Developing an Information Security RoadmapDeveloping an Information Security Roadmap
Developing an Information Security RoadmapAustin Songer
 
Cybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationCybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationMonchai Phaichitchan
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017Doug Copley
 
What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813Kinetic Potential
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Cybersecurity Framework - Introduction
Cybersecurity Framework - IntroductionCybersecurity Framework - Introduction
Cybersecurity Framework - IntroductionMuhammad Akbar Yasin
 

What's hot (20)

Tictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security ServicesTictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security Services
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
 
Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
 
NTXISSACSC2 - Why Lead with Risk? by Doug Landoll
NTXISSACSC2 - Why Lead with Risk? by Doug LandollNTXISSACSC2 - Why Lead with Risk? by Doug Landoll
NTXISSACSC2 - Why Lead with Risk? by Doug Landoll
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
 
Security Operations Center
Security Operations CenterSecurity Operations Center
Security Operations Center
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Community IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security PolicyCommunity IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security Policy
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum Security
 
Developing an Information Security Roadmap
Developing an Information Security RoadmapDeveloping an Information Security Roadmap
Developing an Information Security Roadmap
 
Cybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationCybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentation
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
 
What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Cybersecurity Framework - Introduction
Cybersecurity Framework - IntroductionCybersecurity Framework - Introduction
Cybersecurity Framework - Introduction
 

Viewers also liked

Tax Preparers Presentation
Tax Preparers PresentationTax Preparers Presentation
Tax Preparers PresentationDoug Landoll
 
Mnescot controls monitoring
Mnescot controls monitoringMnescot controls monitoring
Mnescot controls monitoringmnescot
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical ReviewISA Interchange
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security FrameworksMarco Morana
 
Nist 800 82
Nist 800 82Nist 800 82
Nist 800 82majolic
 
Cisa Certification Overview
Cisa Certification OverviewCisa Certification Overview
Cisa Certification OverviewAl Imran, CISA
 
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aCritical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aJames W. De Rienzo
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804James W. De Rienzo
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.Priyanka Aash
 
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon NamCOBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon NamNUS-ISS
 
Ipr, Intellectual Property Rights
Ipr, Intellectual Property RightsIpr, Intellectual Property Rights
Ipr, Intellectual Property RightsVikram Dahiya
 

Viewers also liked (16)

Tax Preparers Presentation
Tax Preparers PresentationTax Preparers Presentation
Tax Preparers Presentation
 
Mnescot controls monitoring
Mnescot controls monitoringMnescot controls monitoring
Mnescot controls monitoring
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical Review
 
Securing SCADA
Securing SCADASecuring SCADA
Securing SCADA
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
 
Nist 800 82
Nist 800 82Nist 800 82
Nist 800 82
 
Cisa Certification Overview
Cisa Certification OverviewCisa Certification Overview
Cisa Certification Overview
 
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aCritical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.
 
Evolution Of IPR
Evolution Of IPREvolution Of IPR
Evolution Of IPR
 
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon NamCOBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
 
Ipr, Intellectual Property Rights
Ipr, Intellectual Property RightsIpr, Intellectual Property Rights
Ipr, Intellectual Property Rights
 
COBIT®5 - Foundation
COBIT®5 - FoundationCOBIT®5 - Foundation
COBIT®5 - Foundation
 
TYBSC IT SEM 6 IPR/CL
TYBSC IT SEM 6 IPR/CLTYBSC IT SEM 6 IPR/CL
TYBSC IT SEM 6 IPR/CL
 
Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)
 

Similar to NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by Doug Landoll

20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)Peter GEELEN ✔
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...Donald E. Hester
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are comingErnest Staats
 
محتويات مادة آمن الشبكات
محتويات مادة آمن الشبكاتمحتويات مادة آمن الشبكات
محتويات مادة آمن الشبكاتeng_SamMoh
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
L3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptxL3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptxStevenTharp2
 
CISSP Cheatsheet.pdf
CISSP Cheatsheet.pdfCISSP Cheatsheet.pdf
CISSP Cheatsheet.pdfshyedshahriar
 
Week 09_Cyber security u.pdf
Week 09_Cyber security u.pdfWeek 09_Cyber security u.pdf
Week 09_Cyber security u.pdfdhanywahyudi17
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHostway|HOSTING
 
Continuous compliance using data and code
Continuous compliance using data and codeContinuous compliance using data and code
Continuous compliance using data and codeErkang Zheng
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Data Security Service Offering-v3
Data Security Service Offering-v3Data Security Service Offering-v3
Data Security Service Offering-v3Abe Newton
 
CH12-CompSec4e.pptx
CH12-CompSec4e.pptxCH12-CompSec4e.pptx
CH12-CompSec4e.pptxams1ams11
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
Information Security Framework
Information Security FrameworkInformation Security Framework
Information Security Frameworkssuser65fa31
 

Similar to NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by Doug Landoll (20)

20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are coming
 
محتويات مادة آمن الشبكات
محتويات مادة آمن الشبكاتمحتويات مادة آمن الشبكات
محتويات مادة آمن الشبكات
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
L3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptxL3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptx
 
CISSP Cheatsheet.pdf
CISSP Cheatsheet.pdfCISSP Cheatsheet.pdf
CISSP Cheatsheet.pdf
 
Week 09_Cyber security u.pdf
Week 09_Cyber security u.pdfWeek 09_Cyber security u.pdf
Week 09_Cyber security u.pdf
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best Practices
 
Continuous compliance using data and code
Continuous compliance using data and codeContinuous compliance using data and code
Continuous compliance using data and code
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Data Security Service Offering-v3
Data Security Service Offering-v3Data Security Service Offering-v3
Data Security Service Offering-v3
 
CH12-CompSec4e.pptx
CH12-CompSec4e.pptxCH12-CompSec4e.pptx
CH12-CompSec4e.pptx
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
Information Security Framework
Information Security FrameworkInformation Security Framework
Information Security Framework
 

More from North Texas Chapter of the ISSA

Ntxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediationNtxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediationNorth Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...North Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1North Texas Chapter of the ISSA
 
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczulNtxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczulNorth Texas Chapter of the ISSA
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNtxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNorth Texas Chapter of the ISSA
 
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowiczNtxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowiczNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higginsNtxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higginsNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghanNtxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghanNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeqNtxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeqNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNtxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomeyNtxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomeyNorth Texas Chapter of the ISSA
 

More from North Texas Chapter of the ISSA (20)

Purple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcuttPurple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcutt
 
Ntxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cepNtxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cep
 
Ntxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediationNtxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediation
 
Ntxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliencyNtxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliency
 
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
 
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
 
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersenNtxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
 
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykesNtxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
 
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc groupNtxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
 
Ntxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompsonNtxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompson
 
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczulNtxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNtxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
 
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florerNtxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
 
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowiczNtxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
 
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higginsNtxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
 
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghanNtxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
 
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeqNtxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNtxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
 
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_muellerNtxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
 
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomeyNtxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
 

Recently uploaded

Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Deliverybabeytanya
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Personfurqan222004
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 

Recently uploaded (20)

Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Person
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 

NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by Doug Landoll

  • 1. @NTXISSA Four Deadly Traps in Using Information Security Frameworks Doug Landoll CEO Lantego April 25, 2015 www.lantego.com (512) 633-8405 dlandoll@lantego.com
  • 2. @NTXISSA Session Agenda • Framework Definition & Uses • NIST 800-53 Framework Intro & Uses • Four Traps of Frameworks • Conclusion
  • 3. @NTXISSA Framework – skeletal structure designed to support something. Security Frameworks – structure to help organize and prioritize information security programs. Framework Definition
  • 4. @NTXISSA Structure • Organization for the creation or review of an information security program Reference • Connection with other frameworks, standards, and requirements. Completeness • Thorough treatment of security controls Security Framework Uses
  • 5. @NTXISSA NIST 800-53 Intro: “FISMA Five” FIPS Pub 199: Security Categorization NIST 800-37: Guide for C&A FIPS Pub 200: Minimum Security Controls NIST 800-53: Recommended Security Controls NIST 800-53A: Techniques for Verifying Effectiveness System: Low, Moderate, or High 18 Control Families Certification & Accreditation Process 800+ security controls How to audit controls
  • 6. @NTXISSA SP 800-53 Catalog of Controls • Organized and structured set of security controls • 18 Security Control Families ID FAMILY ID FAMILY AC Access Control MP Media Protection AT Awareness and Training PE Physical and Environmental Protection AU Audit and Accountability PL Planning CA Security Assessment an Authorization PS Personnel Security CM Configuration Management RA Risk Assessment CP Contingency Planning SA System and Services Acquisition IA Identification and Authentication SC System and Communications Protection IR Incident Response SI System and Information Integrity MA Maintenance PM Program Management*
  • 7. @NTXISSA SP 800-53 Control Structure • Security Control Structure Control Ref. # and Name Control Section Supplemental Guidance Control Enhancements References Priority & Baseline Allocation
  • 8. @NTXISSA Control Reference & Name • Within each security control family are a number of security controls. These security controls are numbered. Ref. AU-1 Audit and Accountability Policy and Procedures AU-2 Audit Events AU-3 Content of Audit Records AU-4 Audit Storage Capacity AU-5 Response to Audit Processing Failures AU-6 Audit Review, Analysis, and Reporting AU-7 Audit Reduction and Report Generation AU-8 Time Stamps AU-9 Protection of Audit Information … …
  • 9. @NTXISSA Control Section • Each security control is describes as a requirement. Control: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
  • 10. @NTXISSA Supplemental Guidance • Supplemental guidance provides non-prescriptive additional information to guide the definition, development, and implementation of the security control. • Operational considerations • Mission/business considerations • Risk assessment information. Supplemental Guidance: Audit record content that may be necessary to satisfy the requirement of this control includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI- 11.
  • 11. @NTXISSA Control Enhancements • Control enhancements provide statements of security capability to: • Add function/specificity to the control, or • Increase the strength of the control. Control Enhancements: (1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. (2) CONTENT OF AUDIT RECORDS | CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].
  • 12. @NTXISSA References • References section includes a list of applicable documents relevant to the security control: • federal laws, • Executive Orders, • directives, • policies, • regulations, • standards, and • guidelines
  • 13. @NTXISSA Priority & Baseline Allocation • Priority provides guidance for sequencing decisions • Baseline Allocation –starting point for the security control selection process based on system categorization (Low, Moderate, High) MOD HIGHLOW
  • 14. @NTXISSA Control Assignment • Controls may be augmented through assignment and selection options within control statements. • Assignment: Organizationally defined AU-2 AUDIT EVENTS The organization: … (3) AUDIT EVENT | REVIEWS AND UPDATES The organization reviews and updates the audited events [Assignment: organization-defined frequency]. 800-53 Example
  • 15. @NTXISSA Control Selection • Controls may be augmented through assignment and selection options within control statements. • Selection: Organizationally defined IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION Control: The information system uniquely identifies and authenticates [Assignment: organizational defined specific and/or types of devices] before establishing a [Selection (one or more): local, remote, network] connection. 800-53 Example
  • 16. @NTXISSA Security Controls: Risk-based Process • NIST: • An organizational risk assessment validates the initial security control selection and determines if additional controls are needed. • Example: • System categorization (Standard | Protected) determines initial security control selection. • Organizational | System risk assessment provides rationale for additional, compensating, or deleted security controls from initial selection.
  • 17. @NTXISSA Structure • 18 Security Control Families Reference • Includes crosswalks to ISO27001 & CC • CC -> 800-53; 800-53 -> CC • ISO 27001 -> 800-53; 800-53 -> ISO 27001 Completeness • Organizational, Management and Technical Controls Framework Uses: NIST 800-53 Example
  • 18. @NTXISSA Policy # Policy Name Policy # Policy Name P8110 Data Classification P8310 Account Management P8120 Information Security Program P8320 Access Control P8130 System Security Acquisition P8330 System Security Audit P8210 Security Awareness Training and Education P8340 Identification and Authentication P8220 System Security Maintenance P8350 System and Communication Protection P8230 Contingency Planning P8410 System Privacy P8240 Incident Response Planning P8250 Media Protection P8260 Physical Protections P8270 Personnel Security Control P9280 Acceptable Use Example Policies Based on 800-53 Framework
  • 19. @NTXISSA Four Framework Traps 1. False Frameworks 2. Compliance via Assertion 3. Tailoring by Judgment 4. One and Done
  • 20. @NTXISSA False Frameworks • Regulations and Standards not Frameworks: • Incomplete and focus solely on specific data and security policies • HIPAA • PCI DSS • “Industry Best Practices” • No available references, not industry recognized, likely incomplete and not structured. • AKA: Our own secret sauce • Smoke and Mirrors
  • 21. @NTXISSA Compliance via Assertion • Embracing a Framework is step one. • Next Steps • Interpret • Apply • Assess • Address gaps
  • 22. @NTXISSA Tailoring by Judgment • Frameworks are tailorable through an exception process or a risk based process. • Tailoring based on gaps, “judgment”, and cost limits the benefits of a framework
  • 23. @NTXISSA One and Done • A security program based on a framework will require maintenance • Frameworks get updates • ISO 27001/2: Updated Sept 2013 • NIST 800-53: Updated April 2013 • COBIT 5: Updated 2012 • Other Updates • References, Mappings, Business & Customer Requirements • Reassess regularly
  • 24. @NTXISSA Conclusions • Determine appropriate framework for the business • Add requirements (these are not frameworks) • Embrace the framework and its tailoring process • Beware framework traps • It’s just a framework – there is a lot more work to do.
  • 25. @NTXISSA@NTXISSA The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) NTX ISSA Cyber Security Conference – April 24-25, 2015 25 Thank you