SlideShare a Scribd company logo

NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by Doug Landoll

Download as PPTX, PDF
North Texas Chapter of the ISSA, profile picture
North Texas Chapter of the ISSA

The document discusses information security frameworks, specifically focusing on the NIST 800-53 framework, outlining its structure, control families, and management of security controls. It identifies four common pitfalls when using frameworks: false frameworks, compliance via assertion, tailoring by judgment, and treating it as a one-time effort. The conclusion emphasizes the need for ongoing maintenance and adaptation of frameworks to ensure effective information security management.

Internet
Related topics:
Information Security
1 of 25
Downloaded 22 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
@NTXISSA Four Deadly Traps in Using Information Security Frameworks Doug Landoll CEO Lantego April 25, 2015 www.lantego.com (512) 633-8405 dlandoll@lantego.com
@NTXISSA Session Agenda • Framework Definition & Uses • NIST 800-53 Framework Intro & Uses • Four Traps of Frameworks • Conclusion
@NTXISSA Framework – skeletal structure designed to support something. Security Frameworks – structure to help organize and prioritize information security programs. Framework Definition
@NTXISSA Structure • Organization for the creation or review of an information security program Reference • Connection with other frameworks, standards, and requirements. Completeness • Thorough treatment of security controls Security Framework Uses
@NTXISSA NIST 800-53 Intro: “FISMA Five” FIPS Pub 199: Security Categorization NIST 800-37: Guide for C&A FIPS Pub 200: Minimum Security Controls NIST 800-53: Recommended Security Controls NIST 800-53A: Techniques for Verifying Effectiveness System: Low, Moderate, or High 18 Control Families Certification & Accreditation Process 800+ security controls How to audit controls
@NTXISSA SP 800-53 Catalog of Controls • Organized and structured set of security controls • 18 Security Control Families ID FAMILY ID FAMILY AC Access Control MP Media Protection AT Awareness and Training PE Physical and Environmental Protection AU Audit and Accountability PL Planning CA Security Assessment an Authorization PS Personnel Security CM Configuration Management RA Risk Assessment CP Contingency Planning SA System and Services Acquisition IA Identification and Authentication SC System and Communications Protection IR Incident Response SI System and Information Integrity MA Maintenance PM Program Management*
@NTXISSA SP 800-53 Control Structure • Security Control Structure Control Ref. # and Name Control Section Supplemental Guidance Control Enhancements References Priority & Baseline Allocation
@NTXISSA Control Reference & Name • Within each security control family are a number of security controls. These security controls are numbered. Ref. AU-1 Audit and Accountability Policy and Procedures AU-2 Audit Events AU-3 Content of Audit Records AU-4 Audit Storage Capacity AU-5 Response to Audit Processing Failures AU-6 Audit Review, Analysis, and Reporting AU-7 Audit Reduction and Report Generation AU-8 Time Stamps AU-9 Protection of Audit Information … …
@NTXISSA Control Section • Each security control is describes as a requirement. Control: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
@NTXISSA Supplemental Guidance • Supplemental guidance provides non-prescriptive additional information to guide the definition, development, and implementation of the security control. • Operational considerations • Mission/business considerations • Risk assessment information. Supplemental Guidance: Audit record content that may be necessary to satisfy the requirement of this control includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI- 11.
@NTXISSA Control Enhancements • Control enhancements provide statements of security capability to: • Add function/specificity to the control, or • Increase the strength of the control. Control Enhancements: (1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. (2) CONTENT OF AUDIT RECORDS | CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].
@NTXISSA References • References section includes a list of applicable documents relevant to the security control: • federal laws, • Executive Orders, • directives, • policies, • regulations, • standards, and • guidelines
@NTXISSA Priority & Baseline Allocation • Priority provides guidance for sequencing decisions • Baseline Allocation –starting point for the security control selection process based on system categorization (Low, Moderate, High) MOD HIGHLOW
@NTXISSA Control Assignment • Controls may be augmented through assignment and selection options within control statements. • Assignment: Organizationally defined AU-2 AUDIT EVENTS The organization: … (3) AUDIT EVENT | REVIEWS AND UPDATES The organization reviews and updates the audited events [Assignment: organization-defined frequency]. 800-53 Example
@NTXISSA Control Selection • Controls may be augmented through assignment and selection options within control statements. • Selection: Organizationally defined IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION Control: The information system uniquely identifies and authenticates [Assignment: organizational defined specific and/or types of devices] before establishing a [Selection (one or more): local, remote, network] connection. 800-53 Example
@NTXISSA Security Controls: Risk-based Process • NIST: • An organizational risk assessment validates the initial security control selection and determines if additional controls are needed. • Example: • System categorization (Standard | Protected) determines initial security control selection. • Organizational | System risk assessment provides rationale for additional, compensating, or deleted security controls from initial selection.
@NTXISSA Structure • 18 Security Control Families Reference • Includes crosswalks to ISO27001 & CC • CC -> 800-53; 800-53 -> CC • ISO 27001 -> 800-53; 800-53 -> ISO 27001 Completeness • Organizational, Management and Technical Controls Framework Uses: NIST 800-53 Example
@NTXISSA Policy # Policy Name Policy # Policy Name P8110 Data Classification P8310 Account Management P8120 Information Security Program P8320 Access Control P8130 System Security Acquisition P8330 System Security Audit P8210 Security Awareness Training and Education P8340 Identification and Authentication P8220 System Security Maintenance P8350 System and Communication Protection P8230 Contingency Planning P8410 System Privacy P8240 Incident Response Planning P8250 Media Protection P8260 Physical Protections P8270 Personnel Security Control P9280 Acceptable Use Example Policies Based on 800-53 Framework
@NTXISSA Four Framework Traps 1. False Frameworks 2. Compliance via Assertion 3. Tailoring by Judgment 4. One and Done
@NTXISSA False Frameworks • Regulations and Standards not Frameworks: • Incomplete and focus solely on specific data and security policies • HIPAA • PCI DSS • “Industry Best Practices” • No available references, not industry recognized, likely incomplete and not structured. • AKA: Our own secret sauce • Smoke and Mirrors
@NTXISSA Compliance via Assertion • Embracing a Framework is step one. • Next Steps • Interpret • Apply • Assess • Address gaps
@NTXISSA Tailoring by Judgment • Frameworks are tailorable through an exception process or a risk based process. • Tailoring based on gaps, “judgment”, and cost limits the benefits of a framework
@NTXISSA One and Done • A security program based on a framework will require maintenance • Frameworks get updates • ISO 27001/2: Updated Sept 2013 • NIST 800-53: Updated April 2013 • COBIT 5: Updated 2012 • Other Updates • References, Mappings, Business & Customer Requirements • Reassess regularly
@NTXISSA Conclusions • Determine appropriate framework for the business • Add requirements (these are not frameworks) • Embrace the framework and its tailoring process • Beware framework traps • It’s just a framework – there is a lot more work to do.
@NTXISSA@NTXISSA The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) NTX ISSA Cyber Security Conference – April 24-25, 2015 25 Thank you

More Related Content

PPTX
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
North Texas Chapter of the ISSA
 
PPTX
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
North Texas Chapter of the ISSA
 
PPTX
Top 20 Security Controls for a More Secure Infrastructure
Infosec
 
PPTX
Roadmap to security operations excellence
Erik Taavila
 
PPTX
NTXISSACSC2 - Software Assurance (SwA) by John Whited
North Texas Chapter of the ISSA
 
PPT
Roadmap to IT Security Best Practices
Greenway Health
 
PDF
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
PPTX
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
North Texas Chapter of the ISSA
 
Top 20 Security Controls for a More Secure Infrastructure
Infosec
 
Roadmap to security operations excellence
Erik Taavila
 
NTXISSACSC2 - Software Assurance (SwA) by John Whited
North Texas Chapter of the ISSA
 
Roadmap to IT Security Best Practices
Greenway Health
 
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
North Texas Chapter of the ISSA
 

What's hot (20)

PPTX
Tictaclabs Managed Cyber Security Services
TicTac Data Recovery
 
PDF
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Kevin Fealey
 
PPTX
Security and Compliance Initial Roadmap
Anshu Gupta
 
PPTX
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
 
PPTX
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
centralohioissa
 
PPTX
NTXISSACSC2 - Why Lead with Risk? by Doug Landoll
North Texas Chapter of the ISSA
 
PDF
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
Shah Sheikh
 
PDF
Setting up CSIRT
APNIC
 
PPTX
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 
PPTX
Security Operations Center
MDS CS
 
PDF
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
PPTX
Community IT - Crafting Nonprofit IT Security Policy
Community IT Innovators
 
PDF
Why Zero Trust Yields Maximum Security
Priyanka Aash
 
PPTX
Developing an Information Security Roadmap
Austin Songer
 
PPTX
Cybersecurity framework v1-1_presentation
Monchai Phaichitchan
 
PPSX
Next-Gen security operation center
Muhammad Sahputra
 
PDF
What it Takes to be a CISO in 2017
Doug Copley
 
PPTX
What is a cybersecurity assessment 20210813
Kinetic Potential
 
PDF
Securing your presence at the perimeter
Ben Rothke
 
PPTX
Cybersecurity Framework - Introduction
Muhammad Akbar Yasin
 
Tictaclabs Managed Cyber Security Services
TicTac Data Recovery
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Kevin Fealey
 
Security and Compliance Initial Roadmap
Anshu Gupta
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
centralohioissa
 
NTXISSACSC2 - Why Lead with Risk? by Doug Landoll
North Texas Chapter of the ISSA
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
Shah Sheikh
 
Setting up CSIRT
APNIC
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 
Security Operations Center
MDS CS
 
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Community IT - Crafting Nonprofit IT Security Policy
Community IT Innovators
 
Why Zero Trust Yields Maximum Security
Priyanka Aash
 
Developing an Information Security Roadmap
Austin Songer
 
Cybersecurity framework v1-1_presentation
Monchai Phaichitchan
 
Next-Gen security operation center
Muhammad Sahputra
 
What it Takes to be a CISO in 2017
Doug Copley
 
What is a cybersecurity assessment 20210813
Kinetic Potential
 
Securing your presence at the perimeter
Ben Rothke
 
Cybersecurity Framework - Introduction
Muhammad Akbar Yasin
 
Ad

Viewers also liked (16)

PDF
Tax Preparers Presentation
Doug Landoll
 
PPTX
Mnescot controls monitoring
mnescot
 
PDF
Security Certification - Critical Review
ISA Interchange
 
PDF
Securing SCADA
Jeffrey Wang , P.Eng
 
PPT
Software Security Frameworks
Marco Morana
 
PDF
Nist 800 82
majolic
 
PPT
Cisa Certification Overview
Al Imran, CISA
 
PDF
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
James W. De Rienzo
 
PDF
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
James W. De Rienzo
 
PDF
Security Maturity Models.
Priyanka Aash
 
PPT
Evolution Of IPR
Lalit Ambastha
 
PDF
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
NUS-ISS
 
PPT
Ipr, Intellectual Property Rights
Vikram Dahiya
 
PDF
COBIT®5 - Foundation
Mirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker
 
PDF
TYBSC IT SEM 6 IPR/CL
WE-IT TUTORIALS
 
PPTX
Intellectual Property Rights (IPR)
Madhusudan Rao Datrika
 
Tax Preparers Presentation
Doug Landoll
 
Mnescot controls monitoring
mnescot
 
Security Certification - Critical Review
ISA Interchange
 
Securing SCADA
Jeffrey Wang , P.Eng
 
Software Security Frameworks
Marco Morana
 
Nist 800 82
majolic
 
Cisa Certification Overview
Al Imran, CISA
 
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
James W. De Rienzo
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
James W. De Rienzo
 
Security Maturity Models.
Priyanka Aash
 
Evolution Of IPR
Lalit Ambastha
 
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
NUS-ISS
 
Ipr, Intellectual Property Rights
Vikram Dahiya
 
COBIT®5 - Foundation
Mirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker
 
TYBSC IT SEM 6 IPR/CL
WE-IT TUTORIALS
 
Intellectual Property Rights (IPR)
Madhusudan Rao Datrika
 
Ad

Similar to NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by Doug Landoll (20)

PPTX
DOC-20250530-WA0008.pptx.................
salmannawaz6566504
 
PDF
IAS1-FINALS.pdf for bsit students who are studying information technology
LesbertBayanay
 
PPTX
Overview on Information Security Awareness.pptx
ishaqictm
 
PPTX
Cyber Families - Incident Response.pptx
Kinetic Potential
 
PPTX
Cybersecurity Framework Luncheon Presentation 1-18-18.pptx
trinirebel1
 
PPTX
Information Security Blueprint
Zefren Edior
 
PDF
Cybersecurity Frameworks for DMZCON23 230905.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ODT
Ch.5 rq (1)
anthnydvs
 
PPTX
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
North Texas Chapter of the ISSA
 
DOCX
Worksheet 4 LANWAN Compliance and Auditinglook on the docume.docx
griffinruthie22
 
PPTX
Controls in Audit.pptx
HardikKundra
 
DOCX
Week 7Worksheet 4 LANWAN Compliance and AuditingCourse L.docx
cockekeshia
 
PDF
Compare and Contrast Security Controls and Framework Types
LearningwithRayYT
 
PPTX
D1 security and risk management v1.62
AlliedConSapCourses
 
PDF
CyberSecurity Update Slides
Jim Kaplan CIA CFE
 
PDF
CNIT 160 Ch 4a: Information Security Programs
Sam Bowne
 
PPTX
Security Policies and Standards
primeteacher32
 
PPT
ch01_overview_bywillialmstallings_nemo.ppt
blockchaincrc2023
 
PPT
ch01_overview_nemo cryptography concepts.ppt
MubeenaBegum11
 
PDF
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
DOC-20250530-WA0008.pptx.................
salmannawaz6566504
 
IAS1-FINALS.pdf for bsit students who are studying information technology
LesbertBayanay
 
Overview on Information Security Awareness.pptx
ishaqictm
 
Cyber Families - Incident Response.pptx
Kinetic Potential
 
Cybersecurity Framework Luncheon Presentation 1-18-18.pptx
trinirebel1
 
Information Security Blueprint
Zefren Edior
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Ch.5 rq (1)
anthnydvs
 
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
North Texas Chapter of the ISSA
 
Worksheet 4 LANWAN Compliance and Auditinglook on the docume.docx
griffinruthie22
 
Controls in Audit.pptx
HardikKundra
 
Week 7Worksheet 4 LANWAN Compliance and AuditingCourse L.docx
cockekeshia
 
Compare and Contrast Security Controls and Framework Types
LearningwithRayYT
 
D1 security and risk management v1.62
AlliedConSapCourses
 
CyberSecurity Update Slides
Jim Kaplan CIA CFE
 
CNIT 160 Ch 4a: Information Security Programs
Sam Bowne
 
Security Policies and Standards
primeteacher32
 
ch01_overview_bywillialmstallings_nemo.ppt
blockchaincrc2023
 
ch01_overview_nemo cryptography concepts.ppt
MubeenaBegum11
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 

More from North Texas Chapter of the ISSA (20)

PPTX
Purple seven-ntxissacsc5 walcutt
North Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 yellow 7 protecting the cloud with cep
North Texas Chapter of the ISSA
 
PDF
Ntxissacsc5 gold 4 beyond detection and prevension remediation
North Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 gold 1 mimecast e mail resiliency
North Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
North Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
North Texas Chapter of the ISSA
 
PDF
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
North Texas Chapter of the ISSA
 
PDF
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
North Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 purple 5-insider threat-_andy_thompson
North Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
North Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
North Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
North Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
North Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
North Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
North Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
North Texas Chapter of the ISSA
 
PDF
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
North Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
North Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
North Texas Chapter of the ISSA
 
PPTX
Ntxissacsc5 blue 1-nine cybersecurity habits-george_finney
North Texas Chapter of the ISSA
 
Purple seven-ntxissacsc5 walcutt
North Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 7 protecting the cloud with cep
North Texas Chapter of the ISSA
 
Ntxissacsc5 gold 4 beyond detection and prevension remediation
North Texas Chapter of the ISSA
 
Ntxissacsc5 gold 1 mimecast e mail resiliency
North Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
North Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
North Texas Chapter of the ISSA
 
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
North Texas Chapter of the ISSA
 
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
North Texas Chapter of the ISSA
 
Ntxissacsc5 purple 5-insider threat-_andy_thompson
North Texas Chapter of the ISSA
 
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
North Texas Chapter of the ISSA
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
North Texas Chapter of the ISSA
 
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
North Texas Chapter of the ISSA
 
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 1-nine cybersecurity habits-george_finney
North Texas Chapter of the ISSA
 

Recently uploaded (20)

PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
PPTX
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
PDF
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PPT
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
PPTX
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
PPTX
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
PPT
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
PPT
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
PPTX
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
PDF
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
Funds Management Learning Material for Beg
NKKumar16
 
innovation process that make everything different.pptx
SoumyadipPaul18
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
Digital Literacy And Online Safety on internet
riksa rifqi
 

NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by Doug Landoll

  • 1. @NTXISSA Four Deadly Traps in Using Information Security Frameworks Doug Landoll CEO Lantego April 25, 2015 www.lantego.com (512) 633-8405 dlandoll@lantego.com
  • 2. @NTXISSA Session Agenda • Framework Definition & Uses • NIST 800-53 Framework Intro & Uses • Four Traps of Frameworks • Conclusion
  • 3. @NTXISSA Framework – skeletal structure designed to support something. Security Frameworks – structure to help organize and prioritize information security programs. Framework Definition
  • 4. @NTXISSA Structure • Organization for the creation or review of an information security program Reference • Connection with other frameworks, standards, and requirements. Completeness • Thorough treatment of security controls Security Framework Uses
  • 5. @NTXISSA NIST 800-53 Intro: “FISMA Five” FIPS Pub 199: Security Categorization NIST 800-37: Guide for C&A FIPS Pub 200: Minimum Security Controls NIST 800-53: Recommended Security Controls NIST 800-53A: Techniques for Verifying Effectiveness System: Low, Moderate, or High 18 Control Families Certification & Accreditation Process 800+ security controls How to audit controls
  • 6. @NTXISSA SP 800-53 Catalog of Controls • Organized and structured set of security controls • 18 Security Control Families ID FAMILY ID FAMILY AC Access Control MP Media Protection AT Awareness and Training PE Physical and Environmental Protection AU Audit and Accountability PL Planning CA Security Assessment an Authorization PS Personnel Security CM Configuration Management RA Risk Assessment CP Contingency Planning SA System and Services Acquisition IA Identification and Authentication SC System and Communications Protection IR Incident Response SI System and Information Integrity MA Maintenance PM Program Management*
  • 7. @NTXISSA SP 800-53 Control Structure • Security Control Structure Control Ref. # and Name Control Section Supplemental Guidance Control Enhancements References Priority & Baseline Allocation
  • 8. @NTXISSA Control Reference & Name • Within each security control family are a number of security controls. These security controls are numbered. Ref. AU-1 Audit and Accountability Policy and Procedures AU-2 Audit Events AU-3 Content of Audit Records AU-4 Audit Storage Capacity AU-5 Response to Audit Processing Failures AU-6 Audit Review, Analysis, and Reporting AU-7 Audit Reduction and Report Generation AU-8 Time Stamps AU-9 Protection of Audit Information … …
  • 9. @NTXISSA Control Section • Each security control is describes as a requirement. Control: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
  • 10. @NTXISSA Supplemental Guidance • Supplemental guidance provides non-prescriptive additional information to guide the definition, development, and implementation of the security control. • Operational considerations • Mission/business considerations • Risk assessment information. Supplemental Guidance: Audit record content that may be necessary to satisfy the requirement of this control includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI- 11.
  • 11. @NTXISSA Control Enhancements • Control enhancements provide statements of security capability to: • Add function/specificity to the control, or • Increase the strength of the control. Control Enhancements: (1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. (2) CONTENT OF AUDIT RECORDS | CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].
  • 12. @NTXISSA References • References section includes a list of applicable documents relevant to the security control: • federal laws, • Executive Orders, • directives, • policies, • regulations, • standards, and • guidelines
  • 13. @NTXISSA Priority & Baseline Allocation • Priority provides guidance for sequencing decisions • Baseline Allocation –starting point for the security control selection process based on system categorization (Low, Moderate, High) MOD HIGHLOW
  • 14. @NTXISSA Control Assignment • Controls may be augmented through assignment and selection options within control statements. • Assignment: Organizationally defined AU-2 AUDIT EVENTS The organization: … (3) AUDIT EVENT | REVIEWS AND UPDATES The organization reviews and updates the audited events [Assignment: organization-defined frequency]. 800-53 Example
  • 15. @NTXISSA Control Selection • Controls may be augmented through assignment and selection options within control statements. • Selection: Organizationally defined IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION Control: The information system uniquely identifies and authenticates [Assignment: organizational defined specific and/or types of devices] before establishing a [Selection (one or more): local, remote, network] connection. 800-53 Example
  • 16. @NTXISSA Security Controls: Risk-based Process • NIST: • An organizational risk assessment validates the initial security control selection and determines if additional controls are needed. • Example: • System categorization (Standard | Protected) determines initial security control selection. • Organizational | System risk assessment provides rationale for additional, compensating, or deleted security controls from initial selection.
  • 17. @NTXISSA Structure • 18 Security Control Families Reference • Includes crosswalks to ISO27001 & CC • CC -> 800-53; 800-53 -> CC • ISO 27001 -> 800-53; 800-53 -> ISO 27001 Completeness • Organizational, Management and Technical Controls Framework Uses: NIST 800-53 Example
  • 18. @NTXISSA Policy # Policy Name Policy # Policy Name P8110 Data Classification P8310 Account Management P8120 Information Security Program P8320 Access Control P8130 System Security Acquisition P8330 System Security Audit P8210 Security Awareness Training and Education P8340 Identification and Authentication P8220 System Security Maintenance P8350 System and Communication Protection P8230 Contingency Planning P8410 System Privacy P8240 Incident Response Planning P8250 Media Protection P8260 Physical Protections P8270 Personnel Security Control P9280 Acceptable Use Example Policies Based on 800-53 Framework
  • 19. @NTXISSA Four Framework Traps 1. False Frameworks 2. Compliance via Assertion 3. Tailoring by Judgment 4. One and Done
  • 20. @NTXISSA False Frameworks • Regulations and Standards not Frameworks: • Incomplete and focus solely on specific data and security policies • HIPAA • PCI DSS • “Industry Best Practices” • No available references, not industry recognized, likely incomplete and not structured. • AKA: Our own secret sauce • Smoke and Mirrors
  • 21. @NTXISSA Compliance via Assertion • Embracing a Framework is step one. • Next Steps • Interpret • Apply • Assess • Address gaps
  • 22. @NTXISSA Tailoring by Judgment • Frameworks are tailorable through an exception process or a risk based process. • Tailoring based on gaps, “judgment”, and cost limits the benefits of a framework
  • 23. @NTXISSA One and Done • A security program based on a framework will require maintenance • Frameworks get updates • ISO 27001/2: Updated Sept 2013 • NIST 800-53: Updated April 2013 • COBIT 5: Updated 2012 • Other Updates • References, Mappings, Business & Customer Requirements • Reassess regularly
  • 24. @NTXISSA Conclusions • Determine appropriate framework for the business • Add requirements (these are not frameworks) • Embrace the framework and its tailoring process • Beware framework traps • It’s just a framework – there is a lot more work to do.
  • 25. @NTXISSA@NTXISSA The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) NTX ISSA Cyber Security Conference – April 24-25, 2015 25 Thank you