SQL Database Design For Developers at php[tek] 2024
Institute of Internal Auditors Presentation 2014
1. From Our House to
Yours
Brian T. O’Hara CISA, CISM, CRISC
CISO, The Mako Group, LLC
btohara@makopro.com
260.241.4799
2. The Mako Group, LLC
“The Mako Group, LLC is as an Information
Technology and Systems security, compliance,
and consulting firm, specializing in audit,
compliance, Enterprise Risk Management and
data security in both private and public sectors.
As CISO, my responsibilities include the
oversight and management of security related
functions and services including audit and
regulatory compliance reviews, Enterprise Risk
Management (ERM), and development of
strategic planning with regard to current and
emerging security technologies.”
3. Introduction
• Health Care
• Banking
• SOX
• PCI
• Government
• Critical Infrastructure
• SOC (Service Organization Control)
• Manufacturing
5. Audit And Compliance Authority
• DHHS Department of Health & Human
Services
– Charged with administering HIPAA
• OCR Office for Civil Rights
– Charged with Enforcement
• KPMG
– Audit Subcontractor to OCR
6. HIPAA
• HITECH Act
– Breach Notification
– Business Associate Agreements
– Security Rule
• OMNIBUS Rule
– Enforcement Rule
• BA Chain of Assurance
– Clarification of Rules
7. OCR/KPMG Audit Hot Buttons
• Risk Management
• Risk Assessment
• Risk Management Strategy
• IT Strategic Planning
• Key Phrases
– “Culture of Compliance”
– “Visible Demonstrable Evidence”
8. PERSISTENT PROBLEMS
• Lack of Knowledge
• Poor Risk Based Decision Making
• Resources
• “Experts”
• Shaming Tactics
9. Trends
• Poor/Non-Existent Risk Management
• Poor Understanding of Regulations
• Denial
• Overwhelmed
– Don’t know where to start
– Don’t understand regulations
• Lots of “Experts” and “Certified” products*
– ISC2 CISPP Certification
11. FFIEC TSP Guidance
• FFIEC Statement of Authority
– Anyone who does business with a financial institution
falls under their jurisdiction *
• FDIC Audits
– Now available but you must ask
– TSP should be providing these
13. FFIEC Social Media
Guidance
• Inclusion in Risk Assessment and ERM
– Owning the namespace
• Brand Protection
– Owning and Controlling Data
• Account access controls
– Monitoring Brand Usage
21. Goals of Standards Clarification
• Drive more consistency among assessors
• Help manage evolving risks / threats
• Align with changes in industry best practices
• Clarify scoping and reporting
• Eliminate redundant sub-requirements and consolidate
documentation
• Provide stronger focus on some of the greater risk areas in the
threat environment
• Provide increased clarity on PCI DSS & PA-DSS requirements
• Build greater understanding on the intent of the requirements and
how to apply them
• Improve flexibility for all entities implementing, assessing, and
building to the Standards
23. Rankings (Updated)
• In Place
• In Place with Compensating Controls
• Not Applicable
• Not In Place
• Not Tested
24. Review of Target and Neiman Marcus
COMPLIANCE DOES NOT MEAN SECURITY
25. PERSISTENT PROBLEMS
• Inconsistent application of standards in audit from QSAs
• Inconsistent knowledge from acquiring banks
• Slow Adoption of EVM Chip Based Technology
– Has been successfully breached but extremely difficult, time
consuming, and expensive.
26. Trends
• Tighter controls on applications
• Tighter controls on terminal devices
– Physical seals used much like weights and measures
• Move to EVM Chip Based Cards
– Provides end to end encryption
– Already in Use in EU
– Some in Use Today in US
28. NIST
• SP 800 Series
• SP 800-53 Rev 4 Security and Privacy Controls for Federal
Information Systems and Organizations
• Those certified under Rev 3 will have catch up work to do
• New control mappings
29. FISMA
• Federal Information Security Act of 2002
• Required of all Federal Agencies or Sub Contractors
– “Chain of Assurance”
• DoD Does Own Thing
– Examples
• FDA, DHHS, IRS, etc.
31. Trends
• “Chain of Assurance”*
– Any subcontractor doing business with an agency required to have
completed FISMA audits, must also undergo FISMA audit and meet
requirements
32. CRITICAL INFRASTRUCTURE
“systems and assets, whether physical or virtual, so vital to
the United States that the incapacity or destruction of such
systems and assets would have a debilitating impact on
security, national economic security, national public health
or safety, or any combination of those matters.”
From President Obama’s Executive Order – Improving Critical Infrastructure Cybersecurity February 12, 2013.
33. Industrial Control
Systems (ICS)
• SCADA
– Supervisory Control And Data Acquisition
• Typically larger than traditional stand alone ICS
– Water plant versus small manufacturing
– Examples
• Water Utility
• Power Utility
• Supply Chain
• Transportation
34. PERSISTENT PROBLEMS
• Lack of Security in Design Phase
• Costly Upgrades
• Poor Inter Vendor Operability
• Poor Industry Awareness
• Poor Regulations
35. Trends
• Just Scratching the Surface
• Increased Vendor Awareness and Diligence
• Improving Operator Awareness Via Training
• ICS-CERT
37. No Longer SSAE16
• SOC 1
• SOC 2
• SOC 3
SHOULD RESULT IN NO DEFICIENCIES!
38. SOC 1
• Primarily for User Auditors
– Internal Controls Related to Financial Reporting
39. SOC 2
• Describes the suitability of design and operating
effectiveness of controls at a service organization
relevant to security, availability, processing
integrity or confidentiality.
• Becoming More prevalent
• Involves 5 Security Trust Principles
• Standard Being Updated
40. SOC 3
• Similar to SOC 2 but does not disclose detailed
controls and testing.
• More for Public Awareness
– Website Logos
42. Trends
• More SOC 2 Reports
• Better Understanding of
– Target Audience
– Purpose
– Trust Security Principles
43. Summary Top Issues
1. Risk Management
2. Vendor Management
3. BYO(C)(D)
4. Social Media
5. Cloud Computing
6. “Chain of Assurance”
7. Application Security
8. Mobile Device Security
44. Summary
• Some Things Never Change
– Behavior
• Some Things Always Change
– Regulations
– Examiner Expectations
• Compliance Does Not Lead To Security
• Security Will Lead To Compliance
57. Microsoft EMET
• MS Enhanced Mitigation Experience Toolkit (4.1)
– “The Enhanced Mitigation Experience Toolkit (EMET) is a utility that
helps prevent vulnerabilities in software from being successfully
exploited. EMET achieves this goal by using security mitigation
technologies. These technologies function as special protections and
obstacles that an exploit author must defeat to exploit software
vulnerabilities. These security mitigation technologies do not
guarantee that vulnerabilities cannot be exploited. However, they
work to make exploitation as difficult as possible to perform.”
59. Wireshark
• “Wireshark is the world's foremost network protocol
analyzer. It lets you see what's happening on your network
at a microscopic level. It is the de facto (and often de jure)
standard across many industries and educational
institutions.”
• For Advanced Users
• Packet Capture and Analysis Tool
– Identify data exfiltration
– Identify C&C Traffic
62. From Our House to
Yours
THANKS!
Brian T. O’Hara CISA, CISM, CRISC
CISO, The Mako Group, LLC
btohara@makopro.com
260.241.4799
Hinweis der Redaktion
We won’t discuss Manufacturing specifically because any compliance or audit issues related will fall under the other categories. However, we do work with a small number of manufacturers here in NE Indiana as they either are self insured (HIPAA), or handle credit card transactions (PCI) or both.
*The only thing that can be “certified” as HIPAA compliant or not is either a Covered Entity or a Business Associate. Products, experts, and technologies cannot be HIPAA compliant. They may meet HIPAA standards but that does not make them “compliant”.
* This “chain of assurance” concept comes down directly from NIST and you will see in other agencies such as DHHS.
Public Company Accounting Oversight Board
NIST 800 series special publications known as the SP 800 series covers all aspects of security, controls, and risk management in the federal sector with the exception of the DoD which has it’s own standards.
FISMA, Federal Information Security Act of 2002
http://csrc.nist.gov/groups/SMA/fisma/index.html
You can clearly see the pattern of “chain of assurance”* now.
From President Obama’s Executive Order – Improving Critical Infrastructure Cybersecurity February 12, 2013.
From Microsoft website http://support.microsoft.com/kb/2458544