Measurable Security

Metrics are critical for continuous improvement, understanding where you sit in relation to where you need to be. Perhaps you've seen this before. I'm familiar with most of these projects, but this initiative in particular was new to me.

http://measurablesecurity.mitre.org/directory/areas/systemassessment.html

Nice list guys. Cross-posting here.

System Assessment

The narrative text description for this page is currently under development. Please check back later.
In the meantime, standardization efforts in this area of cyber security include the following:

• Common Vulnerabilities and Exposures (CVE)
• Common Weakness Enumeration (CWE)
• Common Weakness Scoring System (CWSS)
• Common Weakness Risk Analysis Framework (CWRAF)
• Common Configuration Enumeration (CCE)
• Common Platform Enumeration (CPE)
• Open Vulnerability and Assessment Language (OVAL)
• Malware Attribute Enumeration and Characterization (MAEC)
• Common Vulnerability Scoring System (CVSS)
• Software Identification (SWID) Tags
• U.S. Federal Desktop Core Configuration (FDCC)
• United States Government Configuration Baseline (USGCB)
• U.S. Defense Information Systems Agency’s (DISA) Security Technical Implementation Guides (STIGS)
• Center for Internet Security (CIS) Benchmarks
• Security Content Automation Protocol (SCAP)

Spreadsheet: FBI Cloud Control Catalog – Appendix A

Here's the spreadsheet version, cleaned up, of the FBI Criminal Justice Information Systems (CJIS) Security Policy - CJIS Cloud Control Catalog.

► Download spreadsheet version here.

HIPAA Technical Control & Assessment Links

Go to the documents tab to find spreadsheet versions of the below.

• NIST HIPAA Security Rule Toolkit
  http://scap.nist.gov/hipaa/
• Security Risk Assessment Tool (SRA Tool)
  https://www.healthit.gov/providers-professionals/security-risk-assessment-tool
• Technical Safeguards [DOCX - 240 KB]
  https://www.healthit.gov/sites/default/files/20140320_sratool_content_-_technical_volume_v1.docx
• Top 10 Tips for Cybersecurity in Health Care
  https://www.healthit.gov/providers-professionals-newsroom/top-10-tips-cybersecurity-health-care

Recent discussions… Capturing some of that here. Some of the more important links to technical assessment information is above. Services are actually easy to build, as long as you simplify the approach. Has everything to do with scope, stating assumptions, and setting expectations.

By the way – yes, I downloaded and reviewed the current version of the HITRUST framework.

On another note, HITECH  has nothing to do with technical controls and is an unfortunate name. It's confusing, but it's entire focus is enforcement – putting teeth into HIPAA using financial penalties as an incentive. Please do not use it out of context.

The Emerging Recognition of Governance

Thank you Verizon. Fantastic report. The authors did a wonderful job and my hat is off to you. Thank you Dark Reading. Thank you twit.

Governance really is THAT important.

Security used to look something like this… https://www.youtube.com/watch?v=D0n8N98mpes. Then organizations started to focus on compliance when Sarbanes-Oxley and in PCI became mandatory and prevalent. Security professionals realized that compliance in and of itself wasn't enough, and the focus shifted to addressing risk. Problem is that people still feel like they are playing Wack-a-Mole. The governance problem started becoming… A problem. It grew geometrically with the number of different new systems, vendors, applications, interconnections, interfaces, and dependencies.

During the lifecycle of the system there are different security and risk challenges that must be solved, such as those described in context of a PCVMR Cycle, which recognizes the importance of maintaining the system over time.

Let's look at operational hygiene, or governance, in the lands of a state security model. You start at the 0 when the system has been validated/authorized for operations. Ideally at that moment in time the system is fully secure without any flaws. You've tested the system against known attacks and established that the system is properly secured to your baselines. Over time, however, the adjusted state for where you should be is a slight trajectory upwards with some growth to recognize changes in security posture/configurations, architecture, design, firmware, patches, control inheritance, additional solutions, etc.

Compare the state of where you should be vs. the day 0 configuration and what you find is that over time you have a greater gap. Let's call this current state vs. secure state gap "drift". The drift/gap gets larger over time, and leaves you susceptible to compromise. Now go back and look at the wonderful statistics the Verizon team put together and read the column in red.

Does compliance = security? Depends. Depends on whether you recognize a properly implemented risk management framework as necessary to meeting the compliance requirements. Depends on whether you recognize compliance requirements must be managed over time. Depends on whether you have the right people who understand, processes that enforce, and tools that execute and track governance of your systems.

8TH Annual Dallas CPA Society Education Conference

May 4, 2012 between 8am and 5pm at the Loews Anatole – The Dallas IIA is joining up with the Dallas CPA society (over 6,800 members!) to provide two topics (50 minutes each) for their 8th annual conference (over 1,200 attendees at last year’s event).  Mr. Greg Estes asked for a cutting edge audit related topic that would appeal to corporate CPAs.

I responded with a track discussion covering cloud computing risks. The goal is to share perspective and understanding of outsourced data management and processing.

Here is the topic submission:

Cloud Computing Introduction and Risk Management

Join us on a journey to discover – and understand – the cloud. We’ll open the discussion with a review of Cloud Computing and what its heralded arrival means for your company or your clients. It’s here to stay and transform data management. The cost reduction, operations impact, and business elasticity are real benefits. However, there are also real, tangible, risk factors to consider. We will exam these risk factors and discuss solutions for managing risk in cloud computing environments. Slides and supplemental information will be posted to www.cloudauditcontrols.com. 

VMware Compliance Checkers

How about something for FREE!

Some people were asking about this today and I thought I would share here.

There are hundreds of compliance tools and checkers on the market. How about these two gems from VMware? Do you have concerns with PCI and environment compliance with the Data Security Standard? How about a free tool from VMware that checks this for you? How about another free tool that checks your environment against their VMware vSphere Hardening Guidelines? Free.

• PCI-DSS Compliance Checker: http://www.vmware.com/products/datacenter-virtualization/pci-compliance-checker/overview.html
• VMware Hardening Guidelines: http://www.vmware.com/products/datacenter-virtualization/vsphere-compliance-checker/overview.html

Common Audit Regulations, Standards, Practices, and Guides

These link to the original information sources.

The Abbreviated List

• Common Regulations and Standards SOX | GLBA | FFIEC | Basel II| FCRA | HIPAA | NERC | NRC | CFAA | FISMA | FRCP | FISCAM |Privacy Act of 1974 | Safe Harbor | NYSE  | PCI-DSS | COSO 
• Audit Practices and Guides | ISO 27001:2005 | ISO/IEC 27002-2005| OGC ITIL | BCI | CobiT | ISACA | AICPA | ISACA | OECD

Cloud Security and GRC: Internal Controls

Environmentally Friendly.

Here's the flow of a security presentation I sometimes use to stimulate thought and focus around controls and how they can be orchestrated, coordinated, to deliver contextually rich information security and cloud auditing relevant views of the environment.

Environmentally Relevant. 

The enormous data set produced by monitoring and management tools delivers useless information if the data isn't comprehensive of the its environment. Several years ago I worked for a Network Access Control (NAC) company. During Proof of Concept demonstrations we often found more devices on the network than the organization thought was possible. It wasn't uncommon to discover 15-20% more than a company thought they had on the network. One particular example found - not kidding - 20,000+ devices more than their estimated 40,000 devices the company thought they had worldwide. Yes, this is extreme. But it's also those experiences that drive my belief you have to know what you have before you can secure it. 

Here is how I summarize action items during discussions around this topic.

Mapping Controls: Challenges, Opportunities, Surfing

One Man's Challenge.

Mapping controls is all the rage (pun) and today's faddish exercise. Come on. You know you want some of that. Can you think of anything more fun than trying to find all of the standards, regulations, vendor guides, best practice documents, and Christmas Cookie recipe books?? How about actually reading them?? And then creating a massive spreadsheet mapping (your best) interpretation of what (you think) might be individual controls across each of them so that you can track your compliance? And... wait for it... just as we're getting started in all of this, don't forget that every good corporate citizen is intimately familiar with the policies you've painstakingly written and tracked back to each authority document.

Is Another Man's Opportunity.

Enter the likes of the IT Unified Compliance Framework (ITUCF) (with their nice snazzy website update over the last year..). Their objective early in the game several years ago was to identify and correlate authority sources and documents from government agencies, standards bodies, and vendors. Massive undertaking. Simply massive. This is the classic case of how to put an elephant to sleep. Read one authority document at at time.

Opportunistic entrepreneurs and vendors created software tools to help manage the C in GRC. Many leverage (license) in whole or part the work of the ITUCF. Some target the entire enterprise, and others only IT. Consider the following from the well respected Michael Rasmussen of Corporate Integrity:

"The GRC software space is vast with numerous vendors.  In fact, in my market models there are over 400 GRC software providers that span 28 primary categories (with numerous sub-categories) of GRC related software.  Nine of these categories encompass components of an enterprise GRC platform (though no vendor does all nine components), 19 of the categories are focused in specific business functions/processes of GRC.  Of the 400 vendors, it is under 50 that market and present themselves in the enterprise GRC domain."

Enjoy the Wave Dude. Enjoy the Wave.

OK - So maybe it's not perfect, or you consider it biased, or have some other stigma that prevents you from enjoying the Magic Carpet Ride that is the Forrester Wave. I personally don't have the time to learn about every technology niche and vendor play. The summaries are fantastic. I've learned to filter the content and appreciate the organization. The best part? Someone else does the work, and the winner of whatever contest is showcased usually pays for your right to view the content. Why? Because they paid someone off? Or because they are thrilled with the results and want to showcase their peer praise to the world? Enjoy the Wave. It's a short ride.

And on the Short List.

The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q4 2011, led by Chris McClean, includes the following vendors: 

ARC Logics, BWise, Compliance 360, Enablon, IBM OpenPages, Mega, Methodware, MetricStream, Protiviti, RSA Archer, SAP, SAS, Thomson Reuters

The Forrester Wave™: IT Governance, Risk, And Compliance Platforms, Q4 2011, led by Chris McClean, includes the following vendors: 

Agiliance, ANXeBusiness, ControlCase, Easy2Comply, Modulo, RSA Archer, Rsam, Symantec

Please note: 

(1) There may be perfectly suited vendors that are NOT on this list because they address your particular market niche, pain point, or existing entrenched people/processes/technologies. 

(2) Plugging my Parent Company, EMC. RSA Archer was the only vendor listed as a Leader in both enterprise and IT GRC tools. I know the product well, know parts of the roadmap, and I really like what I see here. 

(3) Links to the Wave documents lead to RSA because of licensing. No registration required. Just click on the direct link on the right side of the landing page.