Thursday, March 28, 2013

Requirements Driven – Mandatory Solutions

Common Required Solutions
[Update: Added source mapping and original spreadsheet]

Click on the worksheet below to view a compiled checklist of mandatory security solutions, an ecosystem if you will, that supplement and enable the comprehensive technical control set required by common regulations and standards.

Requirements Mapping
Very importantly, this is 100% requirements driven and not intended to be a comprehensive approach to protecting your data. However, this solution set is a great start. The authority documents from which this solution set is derived are written with the objective of protecting data relative to their domain. That doesn't mean the objective has been successfully met. Your particular use case may fall outside of the normative expectations for which the authority documents were written. Your particular operational mission and/or risk profile may drive additional technology solutions. For example, additional monitoring tools, network management,  e-discovery, network forensics, etc.

Solution Set Requirements Map 
(Click image below to see full-size) (PDF Version)
Common Required Technical Security Solutions




Thursday, March 21, 2013

US Intelligence Community – Worldwide Threat Assessment – March 2013

Anyone remember the days of using bulletin boards? Prodigy? Something happened to this simple Texas boy who suddenly realized there was an entire world of people out there. An entire world of thought. Suddenly, I understood the power of gathering multiple points of reference to solve problems because it gave me tremendous clarity and multiple contextual views.
Your system security suffers when you fail to cover your bases and take in multiple information sources to create context. Effectiveness requires a comprehensive approach.
 
I subscribe to the weekly Homeland Security Digital Library digest. This week included the Statement for the Record, Worldwide Threat Assessment of the US Intelligence Community, Senate Select Committee on Intelligence, James R. Clapper, Director of National Intelligence, March 12, 2013.
 
Two things of interest here. First is that cyber security is the first threat listed, and the primary concern of the authors of this report. Second is the recognition of the importance of gathering and compiling information across multiple sources, and the subsequent call to arms. "In this threat environment, the importance and urgency of intelligence integration cannot be
overstated. Our progress cannot stop."

Author: Clapper, James R. (James Robert)
Publisher: United States. Office of the Director of National Intelligence
Date: 2013-03-12
Copyright: Public Domain
URL: https://www.hsdl.org/?view&did=732599
 
There's another interesting article referenced in the digest covering border protection using complexity theory. Interesting to note similar findings. The thesis written by Michael J Schwan at the Naval Postgraduate School, while controversial in its findings, addresses concerns over current security endeavors that are "compartmentalized, fragmented, and poorly coordinated."
 
Author: Schwan, Michael J.
Publisher: Naval Postgraduate School (U.S.) 
Date: 2012-12
Copyright: Public Domain
URL: https://www.hsdl.org/?view&did=732181

Monday, March 11, 2013

Privacy Primer: Fair Information Practice Principles


Today while reading through a blog post by Michael Daniel, titled Improving the Security of the Nations Critical Infrastructure, I was drawn into the Privacy and Civil Liberties Protections section of the Executive Order on Improving Critical Infrastructure Cybersecurity. Michael says, "the executive order directs departments and agencies to incorporate privacy and civil liberties protections into cyber security activities based upon widely-accepted Fair Information Practice Principles, and other applicable privacy and civil liberties frameworks and policies."
Clicking the link to see the Fair Information Practice Principles, I read through the 2008 privacy policy guide that I frankly have never seen nor read before this. I found the guide to be a very interesting read. The eight Fair Information Practice Principles are: Transparency, Individual Participation, Purpose Specification, Data Minimization, Use Limitation, Data Quality and Integrity, Security, and Accountability and Auditing.

I thought it would be interesting to replace DHS with ORGANIZATION and read it again. Result? A short primer to privacy safeguards.
  • Transparency: ORGANIZATION should be transparent and provide notice to the individual regarding its collection, use, dissemination, and maintenance of personally identifiable information (PII).
  • Individual Participation: ORGANIZATION should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII.  ORGANIZATION should also provide mechanisms for appropriate access, correction, and redress regarding ORGANIZATION’s use of PII.
  • Purpose Specification: ORGANIZATION should specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used.
  • Data Minimization: ORGANIZATION should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified purpose(s).
  • Use Limitation: ORGANIZATION should use PII solely for the purpose(s) specified in the notice. Sharing PII outside the Department should be for a purpose compatible with the purpose for which the PII was collected.
  • Data Quality and Integrity: ORGANIZATION should, to the extent practicable, ensure that PII is accurate, relevant, timely, and complete.
  • Security: ORGANIZATION should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.
  • Accountability and Auditing: ORGANIZATION should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.