We’ve been having a continuous compliance conversation, but did you know that compliance is a fabric that breaks down over time?


View this presentation full screen. For more information about Cavirin's ARAP please visit www.Cavirin.com 

Discover more product ideas at the Elastic Compliance Network.

Let them know EnterpriseGRC Solutions sent you.

Here's a summary of points from this training.

Cybersecurity Mission: Resilience

  • What are our critical assets?
  • Who is responsible for them?
  • Is everyone involved in cyber-resilience? 
  • Do they have the knowledge and autonomy to make good decisions?
  • Are we prepared for when there is a successful attack? 
  • Will there be a tried and tested process to follow or will cyber attack throw our organization into complete chaos?

We’ve been having a continuous compliance conversation

Compliance is a fabric that breaks down over time

There are many threads in compliance fabric

  • Industry – health, finance, consumer, education, government – have different objectives and regulating bodies who impose laws in response to the risks surrounding those objectives
  • Audits, Examinations, Assessments – SOC 2, ISO27001, FFIEC Examination, SOX ITGCC, HIPAA/HITECH compliance, PCI DSS - (people show up, board gets reports, involves public disclosure, can result in criminal charges)
  • Guidance or Guideline - Documents that HELP, explains how to do it – in some cases, guidance supports a policy so it determines “how” we comply.
  • Frameworks – COSO, Cobit, ITIL, NIST 53, Cyber Security Framework, CIS CSC, gives us longitude, latitude (frames how and what we govern)
  • Standards – criteria based best practice, DISA STIGs, CIS Benchmark, SCAP
  • Standard are accepted as best practices whereas framework are practices that are generally employed
  • Standard are specific while framework are general
  • Mandates, Orders, Laws – You must comply (CFR)
  • Families or Domains – people, technologies and processes that we generally consider related
  • Universe – collection of processes associated with tests and controls, grouped by families or domains – used to organize ASSESSMENTS
  • Controls – are processes, what we do to enforce and govern, example “manage change”
  • Tests – how we measure it happened.  A test can have many sub-items, but in aggregation, the set of measures tell us if the control process is effective.  We tie Policy items to Tests.  Tests are in Universe.
  • Policies – what we tell people they must do – usually, they are within ISO27002 ISMS, measured by the ISO27001 assessment. 
  • Policy Items  – (system policy) discrete configuration items

What do we want from a fabric?

  • When it's hot – let us breathe
  • When it's cold – add layers
  • Last a long time – holding shape
  • Tell the world our story and style – reporting, informing, aligning
  • Shrink and Expand – agility, adaptability
  • Provide protection – protect our assets, and us (our business, our reputation, our family)

Before we acquire a fabric, let’s examine what we need

  • Need begins with (industry) risk
  • What are the industries where we see groups of specific types of risk?
  • How do industries describe their risks & controls?

Predominantly, industries use NIST SP800-37 Risk Management Framework – RMF

Risk: What could go wrong?

  • Reputation is a new target for cyber attacks – all industries
  • Criminals value our information  – financial, health, critical infrastructure, all industries
  • Cyber risk is challenging to understand and address, regulation imposed by all industries
  • The changing pace of technology increases unknown dependency on third parties and shadow IT
  • We cannot trace or control our data
  • The role of government and information custody is often misunderstood

Exercise: Identify a risk that is not in your industry.

What behaviors provide most protection?

  1. Control Administrative Privileges
  2. Limiting Workstation-to-Workstation Communication
  3. Antivirus File Reputation Services
  4. Anti-Exploitation
  5. Host Intrusion Prevention (HIPS) Systems
  6. Secure Baseline Configuration
  7. Web Domain Name System (DNS) Reputation
  8. Take Advantage of Software Improvements
  9. Segregated Networks and Functions
  10. Application Whitelisting

What are the best tools and resources?

Other Cyber Security Must Reads

CSF Process requires analysis of attack surface

All of these industries require asset level cyber security

All industries expect us to provide:

  • Board reports
  • Boss reports
  • Boss’s boss reports
  • Decision support systems
  • Security roadmap
  • Enable business
  • Drive IT Value

As an industry, our sensory system is overwhelmed

We need a fabric

What creates the threads that we can assert?

Ten normative references that totally rock the compliance world

  1. Benchmark contains both descriptive information and structural information
  2. Group  item that can hold other items
  3. Item three types of items: <xccdf:Group>, <xccdf:Rule> and <xccdf:Value>
  4. Model suggested scoring model for an <xccdf:Benchmark>
  5. Profile element is a named tailoring for an <xccdf:Benchmark>
  6. Rule the description for a single item of guidance or constraint. <xccdf:Rule> elements form the basis for testing a target platform for benchmark compliance
  7. Status acceptance status of an element with an optional date attribute, which signifies the date of the status change
  8. Tailoring element holds one or more <xccdf:Profile> elements-records additional benchmark tailoring
  9. TestResult element encapsulates the results of a single application of an <xccdf:Benchmark> to a single target platform
  10. Value a named parameter that can be substituted into properties of other elements within the <xccdf:Benchmark>

KEY IT Security and Risk resources

Control Correlation Identifiers CCI

  • http://iase.disa.mil/stigs/cci/Pages/index.aspx
  • The Control Correlation Identifier (CCI) provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice.
  • CCI bridges the gap between high-level policy expressions and low-level technical implementations. CCI allows a security requirement that is expressed in a high-level policy framework to be decomposed and explicitly associated with the low-level security setting(s) that must be assessed to determine compliance with the objectives of that specific security control.
  • This ability to trace security requirements from their origin (e.g., regulations, IA frameworks) to their low-level implementation allows organizations to readily demonstrate compliance to multiple IA compliance frameworks.
  • CCI also provides a means to objectively rollup and compare related compliance assessment results across disparate technologies.

Open Vulnerability and Assessment Language (OVAL) 

  • OVAL® is an information security community effort to standardize how to assess and report machine state of computer systems.
  • Tools and services that use OVAL for the three steps of system assessment — representing system information, expressing specific machine states, and reporting the results of an assessment — provide enterprises with accurate, consistent, and actionable information so they may improve their security.

Most of us still lack an effective compliance fabric

  • If we constantly fixate on having one standard as index to all standards, we waste time and are always doing wrong things wrong ways for wrong results
  • We have to tie configuration guidelines to standards, and standards to risk scenarios + industry + time. 
  • All standards and risks have a shelf life.
  • We use our fabric to sense and avert danger – so when bad’s about to happen, we can get goosebumps
  • What if the elephant in the room could interpret and report cyber security danger?
  • What would we want the elephant to sense?
  • How might danger change over time?
  • Which framework for risk would make the most sense?
  • How might we interpret the elephant’s behavior?
  • What if the elephant implemented unified best practices?

Security controls and best practices from NIST, the Defense Information Systems Agency (DISA) and International Organization for Standardization (ISO), the Control Objectives for Information and Related Technology (COBIT) framework, and Payment Card Industry Data Security Standards (PCI DSS).

  • access control policy
  • continuous monitoring
  • boundary protection
  • event auditing incident detection and reporting
  • device authentication
  • user authentication
  • data encryption
  • vulnerability scanning
  • track and monitor all resources

NIST SP 800-37 Guidance for continuous monitoring

Elements essential to a successful organization-wide continuous monitoring program:

  • Configuration management and change control – develop processes for organizational information systems, throughout their SDLCs, and with consideration of their operating environments and their role(s) in supporting the organization’s missions and core business processes;
  • Security impact analyses – develop security impact analysis and conduct analyses to monitor for changes to organizational information systems and their environments of operation for any adverse security impact to systems, mission/business and/or organizational functions which said systems support;
  • (Ongoing) assessment of system security controls – assessment frequencies based on an organization-wide continuous monitoring strategy and individual system authorization strategies;
  • Security status monitoring and reporting – communicate accurate and up-to-date security-related information to support ongoing management of information security risks and to enable data-driven risk mitigation decisions with minimal response times and acceptable data latencies; and
  • Active involvement of organizational officials.
  • Comprehensive ISCM strategy

A comprehensive ISCM strategy encompasses technology, processes, procedures, operating environments, and people.

This strategy includes:

  • Understanding of risk tolerance
  • Metrics that provide meaningful indications of security status at all organizational tiers
  • Continued effectiveness of all security controls
  • Verification of compliance with information security requirements
  • IT asset management
  • Knowledge and control of changes
  • Awareness of threats and vulnerabilities
  • An ISCM program is established to collect information in accordance with pre-established metrics, utilizing information readily available in part through implemented security controls.

Audit Velocity increases Maturity

  • Old approach: Find a flaw, fix a flaw
  • Better approach: Find flaws and keep prioritized list
  • Best approach: Align vulnerability metrics into a continual service improvement model
  • http://www.fedramp.net/continuous-monitoring-program 
  • Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
  • Please make room for protocol governance

About EnterpriseGRC Solutions and Cavirin

EnterpriseGRC Solutions methodology assisted Cavirin’s Automated Risk Analysis Platform to translate security service within (ARAP) into industry specific compliance objectives. The combined mapping and system policy measurement automation manages the day-to-day challenges of implementing security best practices and assessing operational risk. Leveraging most major compliance and technology frameworks including those within PCI, CIS, HIPAA, ISO, NIST, DISA, SSAE 16 SOC 2 and more, ARAP offers compliance transparency and actionable reporting across the entire enterprise. Cavirin solution manages technology risk and compliance. It works in the data center as well as in the cloud, as a single end to end compliance fabric, applying same industry and risk policies to virtually every point in your information supply chain.

Robin Basham, CEO/CISO EnterpriseGRC Solutions, Inc.

Robin Basham, M.Ed, M.IT, CISSP, CISA, CGEIT, CRISC, EnterpriseGRC CEO/CISO, recently served as Cavirin’s Vice President Information Security Risk and Compliance, delivering concrete programs that transform compliance burden to strategic advantage. Robin is a Certified Information Systems Security, Audit, Governance and Risk professional, earning multiple master’s degrees in Technology and Education. She is an Enterprise ICT GRC expert and early adopter in both certifying and offering certification programs for Cloud and Virtualization. Industry experience includes program direction, architecting and management of systems, controls and data for SaaS (IaaS and PaaS), Finance, Healthcare, Banking, Education, Defense and High Tech. Robin has held positions in Technology as an Officer at State Street Bank, Lead Process Engineering for a major New England CLEC, and Sr. Director Enterprise Technology for multiple advisory firms. Robin has delivered more than 75 compliance engineering products, and run two governance software companies. Most recently she served as Director Enterprise Compliance for a major player in the mortgage industry, Ellie Mae. Robin’s expertise and knowledge are highly recognized in Boston, Mid-Atlantic, Silicon Valley and East Bay, where she has served hundreds of clients and is a frequent speaker, educator, and board contributor.