SlideShare a Scribd company logo

Asset Based Compilance Assessment

Download as KEY, PDF
R
Richard Dahl
Technology
1 of 22
Control Assessments An Asset-Based Methodology Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Security Axiom ✤ Security is achieved by applying relevant controls to assets in scope ✤ Therefore, security evaluations evaluate the controls applied to the assets, whether the assets are documented or not ✤ A compliance program may be focused on: specific information; business processes; services provided; or industry; however, the security controls implemented do not change based on the focus of the compliance program Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Asset Types ✤ Business Assets ✤ Technical Assets ✤ Locations ✤ Applications ✤ Information ✤ Connections ✤ Organizations ✤ Devices ✤ Personnel ✤ Networks ✤ Proprietary Code Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Asset Classification ✤ Not all like-assets are equal While the security controls possible for all devices are the same ... ... the security controls required may not be... ... depending on the purpose or other attributes of the device ✤ The same principle applies to all other asset types as well Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Asset Classification (Continued) ✤ The firewalls serve as access points to networks ✤ The Web Server and DB Server are part of an N-Tier application infrastructure that centrally provides access to significant NPPI ✤ The Desktops and Laptop are used to access limited NPPI records Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Asset Profile Introduction ✤ Asset Profile purpose: ✤ Associate regulatory requirements to assets that must comply ✤ Associate security controls that can/must be used to implement compliance Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Asset Profile ✤ Type of asset that meets requirements for specified security posture ✤ Examples: ✤ NPPI Repository Server ✤ NPPI Network Access Point ✤ NPPI Workstation ✤ Person with Access to NPPI ✤ NPPI Repository Network ✤ NPPI Repository Application ✤ NPPI Facility ✤ NPPI Data Center Room Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Asset Profile Controls Control NPPI Repository NPPI Workstation Portable NPPI Workstation Authentication Mechanism Two Factor Username and Password Username and Password Must be in Data Center Required Not Required Not Required Hard Disk Encryption Required Not Required Required Redundant Power Required Not Required Not Required Backup Frequency Daily None None Must be on Protected Network Required Not Required Not Required Content Filtering Enabled Required Required Required Critical Patch Installation Within 15 Days Within 30 Days Within 30 Days Disable USB Ports Required Required Required 24 X 7 Aggregation and 24 X 7 Aggregation and 24 X 7 Aggregation and Log Review Correlation w/ Human Review Correlation Correlation Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Asset Profile Assets Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Asset Profile Assessment ✤ Question-based evaluation of assets to determine scope ✤ Simple ✤ Intuitive ✤ Understandable ✤ Have True/False or Multiple Choice Answers Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Scope Assessment Example #1 ✤ Automated system or application receives communication from network outside the control of the third-party and contains: ✤ ACME NPPI Records ✤ ACME Restricted or Security Critical Information ✤ Resultant Scope: ✤ ACME Data Repository Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Scope Assessment Example #1a ✤ Automated system or application centrally processes or permanently stores: ✤ > 100 ACME NPPI Records ✤ > 500 Non-NPPI ACME Customer-Related Data Records ✤ ACME Restricted or Security Critical Information ✤ Resultant Scope: ✤ ACME Data Repository Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Scope Assessment Example #2 ✤ Automated system or application is used to access: ✤ < 100 ACME NPPI Records ✤ < 500 Non-NPPI ACME Customer-Related Data ✤ ACME Internal or Confidential Information ✤ Resultant Scope: ✤ ACME Data Workstation Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Assessment Questionnaires ✤ One Questionnaire for each Asset Profile ✤ Contains controls deemed relevant for each asset-type/Asset Profile combination ✤ Granularly focuses questions for a specific asset or group of assets within scope ✤ Increases efficiency and effectiveness of audit program Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Questionnaire Format Control Family Reference Question Text Yes/No/NA/TI Authentication Management 2 The information system uniquely identifies and authenticates users (or processes acting on behalf of users). Authentication Management 2.1 Authentication of user identities is accomplished through approved mechanisms. Authentication Management 2.1.1 Authentication of user identities is accomplished through the use of usernames and passwords. Authentication Management 2.1.2 Authentication of user identities is accomplished through the use of usernames and biometric devices. Authentication Management 2.1.3 Authentication of user identities is accomplished through the use of usernames and tokens. Authentication Management 2.1.4 Authentication of user identities is accomplished through the use of digital certificates. Authentication Management 2.1.5 Authentication of user identities is accomplished through the use of multi-factor authentication. Authentication Management 2.2 FIPS 201 and Special Publications 800-73 and 800-76 guidance regarding personal identity verification (PIV) card token for use in the unique identification and authentication of federal employees and contractors is followed. Authentication Management 2.3 NIST Special Publication 800-63 guidance on remote electronic authentication is followed. Authentication Management 2.4 User identification and authentication within a specified security perimeter follows NIST SP 800-63 guidance. Authentication Management 3 The information system identifies and authenticates specific devices before establishing a connection. Authentication Management 3.1 The information system uses pre-defined mechanisms to identify and authenticate devices on local and/or wide area networks. Authentication Management 3.1.1 The information system uses shared known information (e.g., Media Access Control (MAC) or Transmission Control Program/Internet Protocol (TCP/IP) addresses) to identify and authenticate devices on local and/or wide area networks. Authentication Management 3.1.2 The information system uses an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol (EAP) or a Radius server with EAP-Transport Layer Security (TLS) authentication) to identify and authenticate devices on local and/or wide area networks. Authentication Management 4 The organization manages user identifiers. Authentication Management 4.1 The organization manages user identifiers by uniquely identifying each user. Authentication Management 4.2 The organization manages user identifiers by verifying the identity of each user. Authentication Management 4.3 The organization manages user identifiers by receiving authorization to issue a user identifier from an appropriate organization official. Authentication Management 4.5 The organization manages user identifiers by disabling user identifier after a pre-defined time period of inactivity. Authentication Management 4.5.1 The organization manages user identifiers by disabling user identifier after 6 months of inactivity. Authentication Management 4.5.2 The organization manages user identifiers by disabling user identifier after 3 months of inactivity. Authentication Management 4.6 The organization manages user identifiers by archiving user identifiers. Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Control Assessment Framework ✤ Compliance Charter: ✤ Who must comply ✤ Why compliance is required ✤ When compliance must be achieved ✤ Security Standard: ✤ Where compliance is applicable (which assets or Scopes) ✤ What must be done (high level) Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Control Assessment Framework ✤ Control Catalog: Asset Profile Map ✤ List of security controls that may be used to secure assets ✤ Compliance Map: ✤ Intersection of Security Standard and Security Control within the context of a Asset Profile ✤ How compliance is achieved Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Compliance Charter WHO ✤ Documents the compliance programs: ✤ Purpose ✤ Scope ✤ Governance WHY WHEN Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Security Standard WHAT ✤ Provides high-level guidance for security ✤ May be tailored to: ✤ Information ✤ Business Process Supported WHERE ✤ Services Provided ✤ Industry Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Control Catalog ✤ Based on industry guidance ✤ NIST SP 800-53 ✤ ISO 27002 ✤ Contains controls for all asset-types ✤ Controls organized by family/domain ✤ Allows granular documentation of appropriate security postures Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Compliance Map ✤ Combined to create Security Questionnaires for each Asset Profile ✤ Each control must be answered: HOW ✤ Yes (Control is in place) ✤ No (Control is not in place) ✤ NA (Control is Not Applicable, provide justification) ✤ TI (Control is Technically Infeasible, provide documentation) Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Review Process Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License

Recommended

IT Asset Management System for UL-Software Engineering
IT Asset Management System for UL-Software EngineeringIT Asset Management System for UL-Software Engineering
IT Asset Management System for UL-Software Engineering
Shiv Koppad
 
Asset Management Presentation
Asset Management PresentationAsset Management Presentation
Asset Management Presentation
Neeraj Kumar
 
NIST 800-53 Controls
NIST 800-53 ControlsNIST 800-53 Controls
NIST 800-53 Controls
Richard Dahl
 
Risk Analysis Part 1
Risk Analysis Part 1Risk Analysis Part 1
Risk Analysis Part 1
Richard Dahl
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 

Recommended

IT Asset Management System for UL-Software Engineering
IT Asset Management System for UL-Software EngineeringIT Asset Management System for UL-Software Engineering
IT Asset Management System for UL-Software Engineering
Shiv Koppad
 
Asset Management Presentation
Asset Management PresentationAsset Management Presentation
Asset Management Presentation
Neeraj Kumar
 
NIST 800-53 Controls
NIST 800-53 ControlsNIST 800-53 Controls
NIST 800-53 Controls
Richard Dahl
 
Risk Analysis Part 1
Risk Analysis Part 1Risk Analysis Part 1
Risk Analysis Part 1
Richard Dahl
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Boston Institute of Analytics
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 

More Related Content

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Featured

Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
 

Featured (20)

AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 

Asset Based Compilance Assessment

  • 1. Control Assessments An Asset-Based Methodology Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 2. Security Axiom ✤ Security is achieved by applying relevant controls to assets in scope ✤ Therefore, security evaluations evaluate the controls applied to the assets, whether the assets are documented or not ✤ A compliance program may be focused on: specific information; business processes; services provided; or industry; however, the security controls implemented do not change based on the focus of the compliance program Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 3. Asset Types ✤ Business Assets ✤ Technical Assets ✤ Locations ✤ Applications ✤ Information ✤ Connections ✤ Organizations ✤ Devices ✤ Personnel ✤ Networks ✤ Proprietary Code Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 4. Asset Classification ✤ Not all like-assets are equal While the security controls possible for all devices are the same ... ... the security controls required may not be... ... depending on the purpose or other attributes of the device ✤ The same principle applies to all other asset types as well Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 5. Asset Classification (Continued) ✤ The firewalls serve as access points to networks ✤ The Web Server and DB Server are part of an N-Tier application infrastructure that centrally provides access to significant NPPI ✤ The Desktops and Laptop are used to access limited NPPI records Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 6. Asset Profile Introduction ✤ Asset Profile purpose: ✤ Associate regulatory requirements to assets that must comply ✤ Associate security controls that can/must be used to implement compliance Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 7. Asset Profile ✤ Type of asset that meets requirements for specified security posture ✤ Examples: ✤ NPPI Repository Server ✤ NPPI Network Access Point ✤ NPPI Workstation ✤ Person with Access to NPPI ✤ NPPI Repository Network ✤ NPPI Repository Application ✤ NPPI Facility ✤ NPPI Data Center Room Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 8. Asset Profile Controls Control NPPI Repository NPPI Workstation Portable NPPI Workstation Authentication Mechanism Two Factor Username and Password Username and Password Must be in Data Center Required Not Required Not Required Hard Disk Encryption Required Not Required Required Redundant Power Required Not Required Not Required Backup Frequency Daily None None Must be on Protected Network Required Not Required Not Required Content Filtering Enabled Required Required Required Critical Patch Installation Within 15 Days Within 30 Days Within 30 Days Disable USB Ports Required Required Required 24 X 7 Aggregation and 24 X 7 Aggregation and 24 X 7 Aggregation and Log Review Correlation w/ Human Review Correlation Correlation Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 9. Asset Profile Assets Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 10. Asset Profile Assessment ✤ Question-based evaluation of assets to determine scope ✤ Simple ✤ Intuitive ✤ Understandable ✤ Have True/False or Multiple Choice Answers Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 11. Scope Assessment Example #1 ✤ Automated system or application receives communication from network outside the control of the third-party and contains: ✤ ACME NPPI Records ✤ ACME Restricted or Security Critical Information ✤ Resultant Scope: ✤ ACME Data Repository Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 12. Scope Assessment Example #1a ✤ Automated system or application centrally processes or permanently stores: ✤ > 100 ACME NPPI Records ✤ > 500 Non-NPPI ACME Customer-Related Data Records ✤ ACME Restricted or Security Critical Information ✤ Resultant Scope: ✤ ACME Data Repository Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 13. Scope Assessment Example #2 ✤ Automated system or application is used to access: ✤ < 100 ACME NPPI Records ✤ < 500 Non-NPPI ACME Customer-Related Data ✤ ACME Internal or Confidential Information ✤ Resultant Scope: ✤ ACME Data Workstation Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 14. Assessment Questionnaires ✤ One Questionnaire for each Asset Profile ✤ Contains controls deemed relevant for each asset-type/Asset Profile combination ✤ Granularly focuses questions for a specific asset or group of assets within scope ✤ Increases efficiency and effectiveness of audit program Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 15. Questionnaire Format Control Family Reference Question Text Yes/No/NA/TI Authentication Management 2 The information system uniquely identifies and authenticates users (or processes acting on behalf of users). Authentication Management 2.1 Authentication of user identities is accomplished through approved mechanisms. Authentication Management 2.1.1 Authentication of user identities is accomplished through the use of usernames and passwords. Authentication Management 2.1.2 Authentication of user identities is accomplished through the use of usernames and biometric devices. Authentication Management 2.1.3 Authentication of user identities is accomplished through the use of usernames and tokens. Authentication Management 2.1.4 Authentication of user identities is accomplished through the use of digital certificates. Authentication Management 2.1.5 Authentication of user identities is accomplished through the use of multi-factor authentication. Authentication Management 2.2 FIPS 201 and Special Publications 800-73 and 800-76 guidance regarding personal identity verification (PIV) card token for use in the unique identification and authentication of federal employees and contractors is followed. Authentication Management 2.3 NIST Special Publication 800-63 guidance on remote electronic authentication is followed. Authentication Management 2.4 User identification and authentication within a specified security perimeter follows NIST SP 800-63 guidance. Authentication Management 3 The information system identifies and authenticates specific devices before establishing a connection. Authentication Management 3.1 The information system uses pre-defined mechanisms to identify and authenticate devices on local and/or wide area networks. Authentication Management 3.1.1 The information system uses shared known information (e.g., Media Access Control (MAC) or Transmission Control Program/Internet Protocol (TCP/IP) addresses) to identify and authenticate devices on local and/or wide area networks. Authentication Management 3.1.2 The information system uses an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol (EAP) or a Radius server with EAP-Transport Layer Security (TLS) authentication) to identify and authenticate devices on local and/or wide area networks. Authentication Management 4 The organization manages user identifiers. Authentication Management 4.1 The organization manages user identifiers by uniquely identifying each user. Authentication Management 4.2 The organization manages user identifiers by verifying the identity of each user. Authentication Management 4.3 The organization manages user identifiers by receiving authorization to issue a user identifier from an appropriate organization official. Authentication Management 4.5 The organization manages user identifiers by disabling user identifier after a pre-defined time period of inactivity. Authentication Management 4.5.1 The organization manages user identifiers by disabling user identifier after 6 months of inactivity. Authentication Management 4.5.2 The organization manages user identifiers by disabling user identifier after 3 months of inactivity. Authentication Management 4.6 The organization manages user identifiers by archiving user identifiers. Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 16. Control Assessment Framework ✤ Compliance Charter: ✤ Who must comply ✤ Why compliance is required ✤ When compliance must be achieved ✤ Security Standard: ✤ Where compliance is applicable (which assets or Scopes) ✤ What must be done (high level) Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 17. Control Assessment Framework ✤ Control Catalog: Asset Profile Map ✤ List of security controls that may be used to secure assets ✤ Compliance Map: ✤ Intersection of Security Standard and Security Control within the context of a Asset Profile ✤ How compliance is achieved Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 18. Compliance Charter WHO ✤ Documents the compliance programs: ✤ Purpose ✤ Scope ✤ Governance WHY WHEN Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 19. Security Standard WHAT ✤ Provides high-level guidance for security ✤ May be tailored to: ✤ Information ✤ Business Process Supported WHERE ✤ Services Provided ✤ Industry Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 20. Control Catalog ✤ Based on industry guidance ✤ NIST SP 800-53 ✤ ISO 27002 ✤ Contains controls for all asset-types ✤ Controls organized by family/domain ✤ Allows granular documentation of appropriate security postures Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 21. Compliance Map ✤ Combined to create Security Questionnaires for each Asset Profile ✤ Each control must be answered: HOW ✤ Yes (Control is in place) ✤ No (Control is not in place) ✤ NA (Control is Not Applicable, provide justification) ✤ TI (Control is Technically Infeasible, provide documentation) Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 22. Review Process Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License

Editor's Notes