Tools approach to automating ISO27002 ISMS Policy aligned continuous monitoring
EnterpriseGRC Solutions participates in the development of content for Cavirin's ARAP product and supports the implementation of this product as a component of Security Architecture. Original article is found on LinkedIn and reposted on http://www.cavirin.com
THE ISO/IEC 27002:2013 CHALLENGE
ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for information security controls
You might think that implementing an ISO 27002 ISMS program is fairly straight forward, and even an easy sell to the business and supporting the enterprise. After all, Information Security is defined by the C-I-A triad, the most well-known model for security policy development. Who can resist a tried and true C-I-A triad?
- Confidentiality, ensuring that information is only accessible to those authorized to have access
- Integrity, safeguarding the accuracy and completeness of information and processing methods
- Availability, ensuring that authorized users have access to information and associated assets when required
Instead of disparaging everyone who resists the full ISO 27002 ISMS implementation, let's empathize with the sheer willpower and perseverance it takes to drive an organization toward this prestigious achievement.
Here's a diagram that covers common steps to an ISO 27001 readiness and implementation. Put simply, it's a lot of work. One area that should not be difficult, is the thing people often fear the most, the implementation of system policy via security controls.
WHAT'S IN IT FOR US? REASONS TO ACCOMPLISH ISO 27001 CERTIFICATION OF YOUR ISMS INCLUDE THAT ORGANIZATIONS NEED TO DEMONSTRATE:
- measured reduction in security events
- ability to satisfy regulatory compliance requirements across multiple industries and foreign nations
- enhance competitive position in the face of cyber-security threats
- increase security and overall quality in IT Systems
ISMS Standard, SIMM 5305-A, Information Technology Management is responsible for oversight … ensuring protection of the state entity’s information assets and state entity compliance with security policies, standards, and procedures. Implementing the necessary technical controls to preserve the confidentiality, integrity, and availability of the state entity’s information assets.
Managing the risks associated with those assets.
Monitoring for and reporting to the Information Security Officer any actual or attempted security incidents.
ISO is an independent, non-governmental international organization with a membership of 163 national standards bodies.
The ISO 27002 ISMS standard supports technical aspects of ISO/IEC 27002:2013, which gives guidelines for organizational information security standards and practices including the selection, implementation, and management of controls taking into consideration the organization's information security risk environment.
Among its many benefits, the standard enables users to:
- implement commonly accepted information security controls
- further evolve a risk based approach in developing their own information security management guidelines.
- International Standards can help governments and regulators achieve public policy goals
WHY ALIGN WITH ISO/IEC 27002:2013?
Clients gain advantage through alignment with international standards compliance. The simple act of managing Information Security Management Systems, or ISMS, program effectiveness supports elements in achieving compliance with all of the following laws:
- UK Data Protection Act 1998
- The Computer Misuse Act 1990 (UK)
- Federal Information Security Management Act 2001 (US)
- Gramm‐Leach‐Bliley Act (GLBA) 1999 (US)
- Federal Financial Inst. Examination Council’s (FFIEC) security guidelines (US)
- Sarbanes‐Oxley Act (SOX) 2002 (US)
- State security breach notification laws (e.g. California) (US)
- Health Insurance Portability and Accountability Act (HIPAA) 1996 (US)
GAINING THE MOST FROM YOUR ISMS PROGRAM IMPLEMENTATION
In addition to satisfying multiple aspects in world standards and regulations, the achievement of ISO 27001 certification is recognized for:
Improved company reputation and image
Proof of senior management’s commitment to the security of the organization
The effective use of best practices such as the ISMS helps companies to avoid reinventing their own policies and procedures, optimize use of scarce IT resources and reduce the occurrence of major IT risks, such as:
- Project failures
- Wasted investments
- Security breaches
- System crashes
- Failures by service providers to understand and meet customer requirements
- Companies embarking on the path of ISO 27001 certification need assistance to establish, monitor, maintain and measure improvement in their ISMS (27002:2013). One key path to a more secure organization is establishing and maintain secure host baseline configurations.
WHAT IS A SECURE HOST BASELINE?
As identified in the NSA's Slicksheet_SecureHostBaseline_Web "A Secure Host Baseline (SHB) is a pre-configured and security hardened machine-ready image that contains an organization’s common Operating Systems (OS) and application software. SHB images are developed with the latest relevant standards and policies which include a layered security architecture enabling the implementation of best practice mitigation strategies to counter cyber threats... An SHB image can be generated for any OS and common application software used by an organization. The image can be deployed across an office’s host systems to include desktops, laptops, servers, tablets, and mobile devices. This provides administrators with a common core operating picture that makes it easier to identify and isolate anomalies. An SHB simplifies the implementation of robust security practices and technologies such as Application Whitelisting, Host Intrusion Prevention Systems (HIPS), Enhanced Experience Mitigation Toolkit (EMET), and other anti-exploitation capabilities. It also ensures that the security features of each host residing on a network are consistent with the organization’s security policies and directives."
Organizations needing to maintain secure host baselines (SHB) face a considerable challenge. Unless they have an automated compliance platform, they must be prepared to provide continual updates for all hardware and software OS and applications. Without a platform to perform these operations, even a successful SHB deployment leaves IT with the daunting task of maintaining business IT alignment to update all secure host images with every notification for baseline improvement. Longer term, organizations must manage lifecycle and end-of-life timelines for OS and applications to ensure that the security features remain current.
LEVERAGING IS0 27002 CLIENTS TO:
- Identify information assets and their associated security requirements
- Assess information security and treat risks according to their relative tolerance
- Select and implement relevant controls to manage or mitigate threats
- Monitor, maintain and improve the effectiveness of controls associated with the organization’s information assets
EnterpriseGRC Solutions recommends using an Automated Risk Analysis Platform (ARAP™). The ARAP methodology assists Chief Risk & Security, as well as IT and DevOps leadership in gathering configuration data used to address their top security and compliance challenges:
- Settings that indicate missing patches for operating systems and applications.
- Monitoring and detecting sensitive data loss (data exfiltration)
- Locating policies that enable weak passwords.
- Lack of logs and audit trails necessary to conduct forensics
- Security validation for new systems
- Missing or outdated anti-malware technology
- Settings that enable encryption of sensitive information in transit
- The information necessary to remediate deficiencies that would otherwise be impossible to manage due to the lack of trained staff maintaining security controls.
COMPLIANCE IN ANY ENVIRONMENT
- Cloud Native platform supporting 12-factor patterns (things like port binding, logs, concurrency…)
- A “hyperplane” of integrated “risk assessment” amongst segmented vulnerability domains
- Works with Private, Hybrid, and Public Clouds
- Support AWS, Azure, GCP (Google Cloud Platform)
- Manages thousands of out-of-box policies, well curated and certified (SCAP, XCCDF, OVAL)
- Supports current compliance authority (PCI DSS, HIPAA, NIST, SOC2, FedRamp, CIS Benchmark, DISA, CIS CSC, CSF)
- Is CIS Certified security content (Multiple OS, Docker, AWS Cloud)
- Complies with DISA standards in all aspects of delivery and reported results
- Know the critical assets and who’s responsible for them
- Get everyone involved in cyber-resilience
- Assure they have the knowledge and autonomy to make good decisions
- Be prepared for both unsuccessful AND successful attack
- Prevent a cyber-attack from throwing your organization into complete chaos.
ISO STANDARDS COMPLIANCE
For additional information about standards for security technical implementation guides, visit:
- Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIG) http://iase.disa.mil/stigs
- National Institute of Standards and Technology (NIST)
- U.S. Government Configuration Guidelines (USGCB) http://usgcb.nist.gov/
- National Checklist Program (NCP) http://www.nist.gov/itl/csd/scm/ncp.cfm Security Content Automation Protocol (SCAP) http://scap.nist.gov/
- National Security Agency (NSA) Configuration Guides http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/
- National Information Assurance Partnership (NIAP)
- Protection Profiles (PP) http://www.niap-ccevs.org/pp/
ABOUT CENTER FOR INTERNET SECURITY
The Center for Internet Security, Inc. (CIS) is a 501c3 nonprofit organization focused on enhancing the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration. CIS provides resources that help partners achieve security goals through expert guidance and cost-effective solutions.
DISA, a Combat Support Agency, provides, operates, and assures command and control, information sharing capabilities, and a globally accessible enterprise information infrastructure in direct support to joint warfighters, national level leaders, and other mission and coalition partners across the full spectrum of operations.
ABOUT EnterpriseGRC Solutions
EnterpriseGRC Solutions is empowered to implement governance, security, risk, and compliance automation products and programs, emphasizing system based policies specific to security settings for secure configuration management. EnterpriseGRC is a women-owned small business offering compliance readiness, Security & GRC tools, Enterprise Security Architecture, Cybersecurity Risk Assessment, and a wide variety of resources for security and GRC technology support. Founded October of 2002 as Phoenix Business and Systems Process, and rebranded in 2011 as EnterpriseGRC Solution, the company is positioned to solve an organization's greatest cloud security and cyber challenges. True to its tagline "Simple Solutions to Complex Problems" the company offers pragmatic, remote and on-site web-enabled compliance implementation, training, strategy, management consulting, security and risk management services.
Cavirin is transforming the way IT security manages risk. Founded in 2012, Cavirin’s platform is a purpose-built agent-less solution that deploys quickly to on-premises, cloud, and containerized infrastructures, helping organizations reduce complexity, become agile, and drive dramatic increases in efficiency with their risk and compliance programs. Leveraging continuous visibility and automated assessments, companies are empowered to make the right decisions faster. The Automated Risk Analysis Platform (ARAP) is a security and compliance fabric that provides continuous configuration evaluation with recommendations for alignment to industry standards and best practices, prioritizing systems and risk remediation efforts across complex hybrid IT infrastructures. Offering up-to-the-minute compliance assessments, Using an adaptive security platform supplies audit ready evidence as measured by every major regulatory, and security best practice framework.
EnterpriseGRC Solutions provides the mapping of standards to the CIS rules implemented in Cavirin's ARAP. In addition to the automation of detected system configuration controls, EnterpriseGRC Solutions provides the data structure to augment any existing GRC or to supply a simple SharePoint Assessment POC.