What is the current NIST guidance for how often to change your password, based on passage of time?
a) 30 days b) 42 days c) 90 days d) never
d. Never
What do Regulations help to do?
- Mandate the “minimum standards for due care”
- Establish legally- defensible security practices
- Provide action able guidance
- Inform the types of security controls and techniques employed
What is SP 800-37
Risk Management Framework
What is SP 800-53
Security Controls for IT Systems
What is SP 800-82
Security Controls for Industrial Control Systems
What is SP 800-171
Security Controls for Nonfederal systems processing Controlled Unclassified Information
Special Publication 800-37 is centered on the Risk Management Framework (RMF), which outlines six steps federal agencies must take to secure their information systems.
WHAT ARE THOSE SIX STEPS?
CSCAAM
- Security CATEGORIZATION : based on impact analysis
- Security control SELECTION
- Security CONTROL implementation
- Security control ASSESSMENT
- Information system AUTHORIZATION
- Security control MONITORING
NIST SP 800-37
The overall goals of the guidelines in 800-37 are?
- To ensure that managing information system-related security risks aligns with the organization’s business objectives and overall risk strategy
- To ensure that security controls are integrated into the organization’s enterprise architecture and system development lifecycle
- To support continuous security monitoring and transparency of security and risk- related information
- To achieve more secure information and information systems within the federal government through the implementation of appropriate risk mitigation strategies
The Purpose of NIST SP 800-53 Revision 4: (Security and Privacy Controls for Federal Information Systems and Organizations) is to?
- To provide guidelines for selecting security controls for information systems supporting federal agencies. The guidelines apply to all components of an information system that process, store or transmit federal information.
- To optimize security, this publication recommends first selecting an initial set of baseline security controls, then customizing these baseline controls, and finally supplementing the controls based on assessments of risk.
EU-US Privacy Shield
- Designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration
- Provide companies a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce
- Self-certification model
PCI-DSS
Payment Card Industry Data Security Standards
- Founded in 2006 by AMEX, Discover, JCB International, Master Card, and Visa
- Help merchants and financial institutions understand and implement standards
- Help vendor sunder stand and implement standards for creating secure payment solutions.
Gramm- Leach- Bliley Act
Organizations that provide services to the financial industry
Originally SAS-70 requirements
SAS-70 replaced by Statement on Standards for Attestation Engagements No. 16 (SSAE-16)
SSAE-16 defined and formalized security audits, management duties, etc.
Security Program: Set yourself up for success!
- Infrastructure Protection
- Application Security
- Security Operations
- Governance
- Project/Program Management • Business Partners
Compliance Creep
Requirements expand over time
- Organization becomes subject to new requirements as business grows
- Baseline standards become more rigorous because of increasing oversight in industry
- Scope of organization’s business operation grows
- We almost never retire requirements (especially security)!
Techniques for Compliance
- Outsource compliance activities
• Best as short-term solution - Add headcount to execute compliance as a project
- Purchase a GRC (Governance, Risk, and
Compliance) package or service
• Most cost-effective, long-term solution
• Scalable, little upfront costs
Value in Compliance
- Compliance programs institute a sense of repeatability and accountability/tracking – improves efficiency and transparency of documentation
- Computer systems operate more efficiently when they are properly managed
- Business systems see fewer disruptions when configurations are managed consistently across the enterprise
- Couple with compliance requirements beyond security controls
How many types of Auditors? and what are they?
FOUR
- Internal Audit: Understand how management is addressing risk – report internally
- External Audit: Usually an independent 3rd party Assessment (CPA Firms, Big 4, etc.) – report directly to Board of Directors
- 3rd Party Attestation: Specialized compliance tests (e.g., PCI- DSS)
- Regulatory Audits: Government bodies perform audits for compliance
• E.g. FFIEC for compliance with regulatory obligations
Preparing employees for an audit
Part 1
• Don’t“coach”employees–it makes them nervous and ticks off the auditor
• Don’t guess–“I don’t know” is perfectly reasonable.If followed up by “but this is the person/system I would go to in order to find out,” all the better
• Time is money–don’t waste it
• Don’t try to be a lawyer–speak straight forwardly, avoid
jargon
• Auditor is not a whistleblower hotline
Preparing for an audit -part 2
• Prepare early–don’t rush the documentation
• Maintain a steady strain–a little at a time over time is
much better than rushing to document everything
• “Done right”»_space; “Done quickly”
• Understand the requirements and start early
• Strategic Speed: reducing the time it takes to deliver value
• High performing companies encourage innovative thought, allow time for reflection and learn from the past
Building Trust with Audit Team
- Align objectives and scope of audit prior to the event
- Identify criteria for evidence required–sample criteria
- Agree on how evidence will be requested (processes, tools, a format for requests, etc.)
- Agree on timeliness expectations for evidence
- Agree on how differences of opinion will be addressed
1914 Federal Trade Commission Act
Prohibits “unfair or deceptive acts or practices in or affecting commerce”
This broad statement has far-reaching implications on cybersecurity
• Established (by extension) a minimum set of cybersecurity practices
• Protects the privacy and security of non-public information
Sarbanes-Oxley Act (2002)
Not as prescriptive as GLBA from an IT perspective
Focused primarily on internal controls over financial reporting
Created a linkage between accounting and business process and the underlying IT infrastructure
Designed to restore confidence in the market as a result of Enron and Arthur Anderson
An Effective Security Program
- Designated Security Officer: Required by GLBA, HIPAA
- Program to evaluate and assess risk: More than financial risk
– cybersecurity, physical, process - Data classification: identify types of data and levels of protection required
- Vendor due diligence: Need to hold vendors/partners accountable
- Executive responsibility for internal controls: This requires C-Suite buy in
- Board of Directors Oversight
Three Questions to ask yourself
- As a CISO, do I have any regulatory requirements?
- As a CISO, how do I position my security program and organization for success in regard to compliance?
- What policies, processes, or procedures should we leverage to successfully engage our auditors and/or regulators?
