View
407
Download
1
Embed Size (px)
Citation preview
@NTXISSA
Four Deadly Traps in Using Information Security Frameworks
Doug LandollCEO
LantegoApril 25, 2015
www.lantego.com(512) [email protected]
@NTXISSA
Session Agenda
• Framework Definition & Uses• NIST 800-53 Framework Intro & Uses• Four Traps of Frameworks• Conclusion
@NTXISSA
Framework – skeletal structure designed to support something.
Security Frameworks – structure to help organize and prioritize information security programs.
Framework Definition
@NTXISSA
Structure• Organization for the creation or review of an
information security program
Reference• Connection with other frameworks, standards, and
requirements.
Completeness• Thorough treatment of security controls
Security Framework Uses
@NTXISSA
NIST 800-53 Intro: “FISMA Five”
FIPS Pub 199: Security Categorization
NIST 800-37: Guide for C&A
FIPS Pub 200: Minimum Security Controls
NIST 800-53: Recommended Security Controls
NIST 800-53A: Techniques for Verifying Effectiveness
System: Low,
Moderate, or High
18 Control Families
Certification & Accreditation
Process
800+ security controls
How to audit
controls
@NTXISSA
SP 800-53 Catalog of Controls• Organized and structured set of security controls• 18 Security Control Families
ID FAMILY ID FAMILY
AC Access Control MP Media Protection
AT Awareness and Training PE Physical and Environmental Protection
AU Audit and Accountability PL Planning
CA Security Assessment an Authorization PS Personnel Security
CM Configuration Management RA Risk Assessment
CP Contingency Planning SA System and Services Acquisition
IA Identification and Authentication SC System and Communications Protection
IR Incident Response SI System and Information Integrity
MA Maintenance PM Program Management*
@NTXISSA
SP 800-53 Control Structure
• Security Control StructureControl Ref. # and Name
Control Section
Supplemental Guidance
Control Enhancements
References
Priority & Baseline Allocation
@NTXISSA
Control Reference & Name• Within each security control family are a number of security
controls. These security controls are numbered.
Ref.
AU-1 Audit and Accountability Policy and Procedures
AU-2 Audit Events
AU-3 Content of Audit Records
AU-4 Audit Storage Capacity
AU-5 Response to Audit Processing Failures
AU-6 Audit Review, Analysis, and Reporting
AU-7 Audit Reduction and Report Generation
AU-8 Time Stamps
AU-9 Protection of Audit Information
… …
@NTXISSA
Control Section• Each security control is describes as a requirement.
Control: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
@NTXISSA
Supplemental Guidance• Supplemental guidance provides non-prescriptive additional
information to guide the definition, development, and implementation of the security control.• Operational considerations• Mission/business considerations• Risk assessment information.
Supplemental Guidance: Audit record content that may be necessary to satisfy the requirement of this control includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11.
@NTXISSA
Control Enhancements• Control enhancements provide statements of security capability to:
• Add function/specificity to the control, or• Increase the strength of the control.
Control Enhancements:
(1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information].
(2) CONTENT OF AUDIT RECORDS | CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].
@NTXISSA
References• References section includes a list of applicable
documents relevant to the security control:• federal laws, • Executive Orders, • directives, • policies, • regulations, • standards, and • guidelines
@NTXISSA
Priority & Baseline Allocation• Priority provides guidance for sequencing decisions • Baseline Allocation –starting point for the security control selection
process based on system categorization (Low, Moderate, High)MOD HIGHLOW
@NTXISSA
Control Assignment• Controls may be augmented through assignment and
selection options within control statements.• Assignment: Organizationally defined
AU-2 AUDIT EVENTS
The organization: …(3) AUDIT EVENT | REVIEWS AND UPDATES The organization reviews and updates the audited events [Assignment: organization-defined frequency].
800-53
Example
@NTXISSA
Control Selection• Controls may be augmented through assignment and
selection options within control statements.• Selection: Organizationally defined
IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION
Control: The information system uniquely identifies and authenticates [Assignment: organizational defined specific and/or types of devices] before establishing a [Selection (one or more): local, remote, network] connection.
800-53
Example
@NTXISSA
Security Controls: Risk-based Process• NIST:
• An organizational risk assessment validates the initial security control selection and determines if additional controls are needed.
• Example: • System categorization (Standard | Protected) determines
initial security control selection.• Organizational | System risk assessment provides rationale
for additional, compensating, or deleted security controls from initial selection.
@NTXISSA
Structure• 18 Security Control Families
Reference• Includes crosswalks to ISO27001 & CC
• CC -> 800-53; 800-53 -> CC• ISO 27001 -> 800-53; 800-53 -> ISO 27001
Completeness• Organizational, Management and Technical Controls
Framework Uses: NIST 800-53 Example
@NTXISSA
Policy # Policy Name Policy # Policy Name
P8110 Data Classification P8310 Account Management
P8120 Information Security Program P8320 Access Control
P8130 System Security Acquisition P8330 System Security Audit
P8210 Security Awareness Training and Education
P8340 Identification and Authentication
P8220 System Security Maintenance P8350 System and Communication Protection
P8230 Contingency Planning P8410 System Privacy
P8240 Incident Response Planning
P8250 Media Protection
P8260 Physical Protections
P8270 Personnel Security Control
P9280 Acceptable Use
Example Policies Based on 800-53 Framework
@NTXISSA
Four Framework Traps
1. False Frameworks2. Compliance via Assertion3. Tailoring by Judgment4. One and Done
@NTXISSA
False Frameworks
• Regulations and Standards not Frameworks:• Incomplete and focus solely on specific data and
security policies• HIPAA• PCI DSS
• “Industry Best Practices”• No available references, not industry recognized,
likely incomplete and not structured.• AKA: Our own secret sauce• Smoke and Mirrors
@NTXISSA
Compliance via Assertion
• Embracing a Framework is step one.• Next Steps
• Interpret• Apply• Assess• Address gaps
@NTXISSA
Tailoring by Judgment
• Frameworks are tailorable through an exception process or a risk based process.
• Tailoring based on gaps, “judgment”, and cost limits the benefits of a framework
@NTXISSA
One and Done
• A security program based on a framework will require maintenance
• Frameworks get updates• ISO 27001/2: Updated Sept 2013• NIST 800-53: Updated April 2013• COBIT 5: Updated 2012
• Other Updates• References, Mappings, Business & Customer
Requirements• Reassess regularly
@NTXISSA
Conclusions
• Determine appropriate framework for the business• Add requirements (these are not frameworks)
• Embrace the framework and its tailoring process
• Beware framework traps• It’s just a framework – there is a lot more
work to do.