More than Just Lines on a Map: Best Practices for U.S Bike Routes
Asset Based Compilance Assessment
1. Control Assessments
An Asset-Based Methodology
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
2. Security Axiom
✤ Security is achieved by applying relevant controls to assets in scope
✤ Therefore, security evaluations evaluate the controls applied to the
assets, whether the assets are documented or not
✤ A compliance program may be focused on: specific information;
business processes; services provided; or industry; however, the
security controls implemented do not change based on the focus of
the compliance program
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
3. Asset Types
✤ Business Assets ✤ Technical Assets
✤ Locations ✤ Applications
✤ Information ✤ Connections
✤ Organizations ✤ Devices
✤ Personnel ✤ Networks
✤ Proprietary Code
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
4. Asset Classification
✤ Not all like-assets are equal
While the security controls possible for all devices are the same ...
... the security controls required may not be...
... depending on the purpose or other attributes of the device
✤ The same principle applies to all other asset types as well
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
5. Asset Classification (Continued)
✤ The firewalls serve as access points to networks
✤ The Web Server and DB Server are part of an N-Tier application
infrastructure that centrally provides access to significant NPPI
✤ The Desktops and Laptop are used to access limited NPPI records
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
6. Asset Profile Introduction
✤ Asset Profile purpose:
✤ Associate regulatory requirements to assets that must comply
✤ Associate security controls that can/must be used to implement
compliance
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
7. Asset Profile
✤ Type of asset that meets requirements for specified security posture
✤ Examples:
✤ NPPI Repository Server ✤ NPPI Network Access Point
✤ NPPI Workstation ✤ Person with Access to NPPI
✤ NPPI Repository Network ✤ NPPI Repository Application
✤ NPPI Facility ✤ NPPI Data Center Room
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
8. Asset Profile Controls
Control NPPI Repository NPPI Workstation Portable NPPI Workstation
Authentication Mechanism Two Factor Username and Password Username and Password
Must be in Data Center Required Not Required Not Required
Hard Disk Encryption Required Not Required Required
Redundant Power Required Not Required Not Required
Backup Frequency Daily None None
Must be on Protected Network Required Not Required Not Required
Content Filtering Enabled Required Required Required
Critical Patch Installation Within 15 Days Within 30 Days Within 30 Days
Disable USB Ports Required Required Required
24 X 7 Aggregation and 24 X 7 Aggregation and 24 X 7 Aggregation and
Log Review
Correlation w/ Human Review Correlation Correlation
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
9. Asset Profile Assets
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
10. Asset Profile Assessment
✤ Question-based evaluation of assets to determine scope
✤ Simple
✤ Intuitive
✤ Understandable
✤ Have True/False or Multiple Choice Answers
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
11. Scope Assessment Example #1
✤ Automated system or application receives communication from
network outside the control of the third-party and contains:
✤ ACME NPPI Records
✤ ACME Restricted or Security Critical Information
✤ Resultant Scope:
✤ ACME Data Repository
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
12. Scope Assessment Example #1a
✤ Automated system or application centrally processes or permanently
stores:
✤ > 100 ACME NPPI Records
✤ > 500 Non-NPPI ACME Customer-Related Data Records
✤ ACME Restricted or Security Critical Information
✤ Resultant Scope:
✤ ACME Data Repository
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
13. Scope Assessment Example #2
✤ Automated system or application is used to access:
✤ < 100 ACME NPPI Records
✤ < 500 Non-NPPI ACME Customer-Related Data
✤ ACME Internal or Confidential Information
✤ Resultant Scope:
✤ ACME Data Workstation
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
14. Assessment Questionnaires
✤ One Questionnaire for each Asset Profile
✤ Contains controls deemed relevant for each asset-type/Asset
Profile combination
✤ Granularly focuses questions for a specific asset or group of assets
within scope
✤ Increases efficiency and effectiveness of audit program
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
15. Questionnaire Format
Control Family Reference Question Text Yes/No/NA/TI
Authentication Management 2 The information system uniquely identifies and authenticates users (or processes acting on behalf of users).
Authentication Management 2.1 Authentication of user identities is accomplished through approved mechanisms.
Authentication Management 2.1.1 Authentication of user identities is accomplished through the use of usernames and passwords.
Authentication Management 2.1.2 Authentication of user identities is accomplished through the use of usernames and biometric devices.
Authentication Management 2.1.3 Authentication of user identities is accomplished through the use of usernames and tokens.
Authentication Management 2.1.4 Authentication of user identities is accomplished through the use of digital certificates.
Authentication Management 2.1.5 Authentication of user identities is accomplished through the use of multi-factor authentication.
Authentication Management 2.2 FIPS 201 and Special Publications 800-73 and 800-76 guidance regarding personal identity verification (PIV) card token
for use in the unique identification and authentication of federal employees and contractors is followed.
Authentication Management 2.3 NIST Special Publication 800-63 guidance on remote electronic authentication is followed.
Authentication Management 2.4 User identification and authentication within a specified security perimeter follows NIST SP 800-63 guidance.
Authentication Management 3 The information system identifies and authenticates specific devices before establishing a connection.
Authentication Management 3.1 The information system uses pre-defined mechanisms to identify and authenticate devices on local and/or wide area
networks.
Authentication Management 3.1.1 The information system uses shared known information (e.g., Media Access Control (MAC) or Transmission Control
Program/Internet Protocol (TCP/IP) addresses) to identify and authenticate devices on local and/or wide area networks.
Authentication Management 3.1.2 The information system uses an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication
Protocol (EAP) or a Radius server with EAP-Transport Layer Security (TLS) authentication) to identify and authenticate
devices on local and/or wide area networks.
Authentication Management 4 The organization manages user identifiers.
Authentication Management 4.1 The organization manages user identifiers by uniquely identifying each user.
Authentication Management 4.2 The organization manages user identifiers by verifying the identity of each user.
Authentication Management 4.3 The organization manages user identifiers by receiving authorization to issue a user identifier from an appropriate
organization official.
Authentication Management 4.5 The organization manages user identifiers by disabling user identifier after a pre-defined time period of inactivity.
Authentication Management 4.5.1 The organization manages user identifiers by disabling user identifier after 6 months of inactivity.
Authentication Management 4.5.2 The organization manages user identifiers by disabling user identifier after 3 months of inactivity.
Authentication Management 4.6 The organization manages user identifiers by archiving user identifiers.
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
16. Control Assessment Framework
✤ Compliance Charter:
✤ Who must comply
✤ Why compliance is required
✤ When compliance must be achieved
✤ Security Standard:
✤ Where compliance is applicable (which assets or Scopes)
✤ What must be done (high level)
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
17. Control Assessment Framework
✤ Control Catalog:
Asset Profile Map
✤ List of security controls that may be used
to secure assets
✤ Compliance Map:
✤ Intersection of Security Standard and
Security Control within the context of a
Asset Profile
✤ How compliance is achieved
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
18. Compliance Charter
WHO
✤ Documents the compliance programs:
✤ Purpose
✤ Scope
✤ Governance
WHY
WHEN Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
19. Security Standard
WHAT
✤ Provides high-level guidance for security
✤ May be tailored to:
✤ Information
✤ Business Process Supported
WHERE
✤ Services Provided
✤ Industry
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
20. Control Catalog
✤ Based on industry guidance
✤ NIST SP 800-53
✤ ISO 27002
✤ Contains controls for all asset-types
✤ Controls organized by family/domain
✤ Allows granular documentation of appropriate security postures
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
21. Compliance Map
✤ Combined to create Security Questionnaires for each Asset Profile
✤ Each control must be answered:
HOW
✤ Yes (Control is in place)
✤ No (Control is not in place)
✤ NA (Control is Not Applicable, provide justification)
✤ TI (Control is Technically Infeasible, provide documentation)
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
22. Review Process
Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License