@NTXISSA

Four Deadly Traps in Using Information Security Frameworks

Doug LandollCEO

LantegoApril 25, 2015

www.lantego.com(512) 633-8405dlandoll@lantego.com

@NTXISSA

Session Agenda

• Framework Definition & Uses• NIST 800-53 Framework Intro & Uses• Four Traps of Frameworks• Conclusion

@NTXISSA

Framework – skeletal structure designed to support something.

Security Frameworks – structure to help organize and prioritize information security programs.

Framework Definition

@NTXISSA

Structure• Organization for the creation or review of an

information security program

Reference• Connection with other frameworks, standards, and

requirements.

Completeness• Thorough treatment of security controls

Security Framework Uses

@NTXISSA

NIST 800-53 Intro: “FISMA Five”

FIPS Pub 199: Security Categorization

NIST 800-37: Guide for C&A

FIPS Pub 200: Minimum Security Controls

NIST 800-53: Recommended Security Controls

NIST 800-53A: Techniques for Verifying Effectiveness

System: Low,

Moderate, or High

18 Control Families

Certification & Accreditation

Process

800+ security controls

How to audit

controls

@NTXISSA

SP 800-53 Catalog of Controls• Organized and structured set of security controls• 18 Security Control Families

ID FAMILY ID FAMILY

AC Access Control MP Media Protection

AT Awareness and Training PE Physical and Environmental Protection

AU Audit and Accountability PL Planning

CA Security Assessment an Authorization PS Personnel Security

CM Configuration Management RA Risk Assessment

CP Contingency Planning SA System and Services Acquisition

IA Identification and Authentication SC System and Communications Protection

IR Incident Response SI System and Information Integrity

MA Maintenance PM Program Management*

@NTXISSA

SP 800-53 Control Structure

• Security Control StructureControl Ref. # and Name

Control Section

Supplemental Guidance

Control Enhancements

References

Priority & Baseline Allocation

@NTXISSA

Control Reference & Name• Within each security control family are a number of security

controls. These security controls are numbered.

Ref.

AU-1 Audit and Accountability Policy and Procedures

AU-2 Audit Events

AU-3 Content of Audit Records

AU-4 Audit Storage Capacity

AU-5 Response to Audit Processing Failures

AU-6 Audit Review, Analysis, and Reporting

AU-7 Audit Reduction and Report Generation

AU-8 Time Stamps

AU-9 Protection of Audit Information

… …

@NTXISSA

Control Section• Each security control is describes as a requirement.

Control: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

@NTXISSA

Supplemental Guidance• Supplemental guidance provides non-prescriptive additional

information to guide the definition, development, and implementation of the security control.• Operational considerations• Mission/business considerations• Risk assessment information.

Supplemental Guidance: Audit record content that may be necessary to satisfy the requirement of this control includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11.

@NTXISSA

Control Enhancements• Control enhancements provide statements of security capability to:

• Add function/specificity to the control, or• Increase the strength of the control.

Control Enhancements:

(1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information].

(2) CONTENT OF AUDIT RECORDS | CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].

@NTXISSA

References• References section includes a list of applicable

documents relevant to the security control:• federal laws, • Executive Orders, • directives, • policies, • regulations, • standards, and • guidelines

@NTXISSA

Priority & Baseline Allocation• Priority provides guidance for sequencing decisions • Baseline Allocation –starting point for the security control selection

process based on system categorization (Low, Moderate, High)MOD HIGHLOW

@NTXISSA

Control Assignment• Controls may be augmented through assignment and

selection options within control statements.• Assignment: Organizationally defined

AU-2 AUDIT EVENTS

The organization: …(3) AUDIT EVENT | REVIEWS AND UPDATES The organization reviews and updates the audited events [Assignment: organization-defined frequency].

800-53

Example

@NTXISSA

Control Selection• Controls may be augmented through assignment and

selection options within control statements.• Selection: Organizationally defined

IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION

Control: The information system uniquely identifies and authenticates [Assignment: organizational defined specific and/or types of devices] before establishing a [Selection (one or more): local, remote, network] connection.

800-53

Example

@NTXISSA

Security Controls: Risk-based Process• NIST:

• An organizational risk assessment validates the initial security control selection and determines if additional controls are needed.

• Example: • System categorization (Standard | Protected) determines

initial security control selection.• Organizational | System risk assessment provides rationale

for additional, compensating, or deleted security controls from initial selection.

@NTXISSA

Structure• 18 Security Control Families

Reference• Includes crosswalks to ISO27001 & CC

• CC -> 800-53; 800-53 -> CC• ISO 27001 -> 800-53; 800-53 -> ISO 27001

Completeness• Organizational, Management and Technical Controls

Framework Uses: NIST 800-53 Example

@NTXISSA

Policy # Policy Name Policy # Policy Name

P8110 Data Classification P8310 Account Management

P8120 Information Security Program P8320 Access Control

P8130 System Security Acquisition P8330 System Security Audit

P8210 Security Awareness Training and Education

P8340 Identification and Authentication

P8220 System Security Maintenance P8350 System and Communication Protection

P8230 Contingency Planning P8410 System Privacy

P8240 Incident Response Planning

P8250 Media Protection

P8260 Physical Protections

P8270 Personnel Security Control

P9280 Acceptable Use

Example Policies Based on 800-53 Framework

@NTXISSA

Four Framework Traps

1. False Frameworks2. Compliance via Assertion3. Tailoring by Judgment4. One and Done

@NTXISSA

False Frameworks

• Regulations and Standards not Frameworks:• Incomplete and focus solely on specific data and

security policies• HIPAA• PCI DSS

• “Industry Best Practices”• No available references, not industry recognized,

likely incomplete and not structured.• AKA: Our own secret sauce• Smoke and Mirrors

@NTXISSA

Compliance via Assertion

• Embracing a Framework is step one.• Next Steps

• Interpret• Apply• Assess• Address gaps

@NTXISSA

Tailoring by Judgment

• Frameworks are tailorable through an exception process or a risk based process.

• Tailoring based on gaps, “judgment”, and cost limits the benefits of a framework

@NTXISSA

One and Done

• A security program based on a framework will require maintenance

• Frameworks get updates• ISO 27001/2: Updated Sept 2013• NIST 800-53: Updated April 2013• COBIT 5: Updated 2012

• Other Updates• References, Mappings, Business & Customer

Requirements• Reassess regularly

@NTXISSA

Conclusions

• Determine appropriate framework for the business• Add requirements (these are not frameworks)

• Embrace the framework and its tailoring process

• Beware framework traps• It’s just a framework – there is a lot more

work to do.

@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 25@NTXISSA

The Collin College Engineering Department

Collin College Student Chapter of the North Texas ISSA

North Texas ISSA (Information Systems Security Association)

Thank you