Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a Identifying critical security controls
Similar a Identifying critical security controls (20)
Más de Elizabeth Baker, JD, CRCMP
Más de Elizabeth Baker, JD, CRCMP (12)
Último
Último (20)
Identifying critical security controls
- 1. Critical Controls for Safety and Soundness Financial Institutions 8/4/2017E Baker Law Firm PLLC
- 2. Critical Controls for Financial Institutions Security and Cyber-security is a ongoing continuous process for Financial Institutions. There is no “one and done” security fix since business and technology are constantly evolving. Employees, customers, vendors, products, services, software, and hardware all affect and effect a company’s security system on a day-to-day basis. 8/4/2017E Baker Law Firm PLLC
- 3. Internal Critical Controls – Why? 1. Where are your documents / data stored? 2. How are documents / data transmitted? 3. What is connected to your operating systems and networks? 4. Who has access and to what? 5. What automated processes and systems are in place to continuously detect, remediate, minimize losses? 6. Can your answers to the above be verified and demonstrated as effective? 8/4/2017E Baker Law Firm PLLC
- 4. The Basics of Critical Controls Get Started: ▫ Clarify what your Company is trying to protect ▫ Review the gaps or deficiencies which have already been identified ▫ Prioritize your Company’s to do list ▫ Identify what can be automated (controls, monitoring and testing controls) 8/4/2017E Baker Law Firm PLLC
- 5. Security Lifecycle: Identify & Inventory Assess , Test & Monitor Remediate & Prevent Report 8/4/2017E Baker Law Firm PLLC
- 6. Identification & Inventory: Identify People Employees 3rd Party Vendors Others Systems Hardware Software / 3rd party apps Network (Data Maps) Contracts & Reports 3rd Party Contracts Internal (Audit / Compliance) External (Regulators) Strategic Plan & Project Development Processes / Policies Enterprise Wide Departmental Industry specific Laws & Reg. Guidance 8/4/2017E Baker Law Firm PLLC
- 7. Assess & Monitor Assess, Monitor & Re-assess Modifications New Employees New Products / Services New Vendors New Systems – hard/software New Processes / Policies Testing Penetration Vulnerability Scan Process Workflow Configuration Network Hardware Software Access Authority Review Audit Findings Breaches / Losses Process Compliance 3rd Party Vendor Security / Access Performance Metrics Compliance Industry Standards Policy/ Procedures Reg. Guidance Laws 8/4/2017E Baker Law Firm PLLC
- 8. Remediation & Prevention Remediation Modifications New Employees New Products / Services New Vendors New Systems – hard/software New Processes / Policies Testing Penetration Vulnerability Scan Process Workflow Configuration Network Hardware Software Access Authority Review Audit Findings Breaches / Losses Process Compliance 3rd Party Vendor Security / Access Performance Metrics Compliance Industry Standards Policy/ Procedures Reg. Guidance Laws 8/4/2017E Baker Law Firm PLLC
- 9. Four Basic Principles • Priorities ▫ What are the current critical security risks ▫ Add “good to have” later • Implementation ▫ Take action (it doesn’t have to be the best or most complete, just get started) ▫ Develop specific, practical steps on implementation ▫ Assist those departments who are just starting as well as enhancing those which have identified controls in place • Sustain and Maintain ▫ Create a team that will show up and advocate ▫ Create resources to assist in supporting and training ▫ Identify and address issues promptly • Align and Integrate ▫ Complement and enhance co-existence with other existing processes ▫ Recognize that each department may need different controls given their specific product, service, risks 8/4/2017E Baker Law Firm PLLC
- 10. 20 Top Critical Security Controls 1. Inventory Devices (Hardware) - Authorized and Unauthorized –identify vulnerabilities, access, data map 2. Inventory Software - Authorized and Unauthorized – identify vulnerabilities to performance, access 3. Secure Configurations - Hardware and Software 4. Assess and Remediate – assess and re-assess identified vulnerabilities 5. Install Malware Defenses 6. Software – manage security lifecycle of software to prevent, detect and correct weaknesses 7. Wireless Access – monitor and control 8. Data Recovery Capability - establish, test and update 9. Training – develop, review, assess, identify and remediate gaps in security 10. Security Configuration of Network Devices - establish, implement and manage 11. Network Ports – limit and control 12. Administrative Privileges – control, document and keep updated 13. Boundary defenses – detect, prevent, correct transfer of information across networks 14. Audit Logs – maintain, monitor, analyze to detect, understand, prevent and recover from attack 15. Control access to critical assets on need to know/need to have basis 16. Account - monitor and control system and application accounts (creation, use, dormancy, termination) 17. Data protection – identify and monitor the processes and tools used to prevent, mitigate, and ensure 18. Incident response and management – develop and implement Incident Response Team & Plan 19. Secure Network Engineering – specify, design and build in features in all system operations 20. Test – simulate penetration and red team exercises to ensure knowledge and efficacy of tools & processes 8/4/2017E Baker Law Firm PLLC
Notas del editor
- People: Identify what skill set exists for individuals responsible for security / controls. Identify who in each department and branch is responsible or manages security / controls. Identify who works on each operational system and has working knowledge of the risks associated with that system. Identify the policy and process makers who will clarify the roles and responsibilities of each employee related to security / controls (including successors for continuity). Systems: Identify network connections (internal, external, remote); identify VLANs, subnets, IP addressing schemes, segmentation, security suite assets, gaps in security coverage, single points of failure. Identify all physical location of hardware assets (buildings, city, etc.). Identify points of entry and exit into network nodes. Identify and map the connections and locations of all data and how the data flows (transmitted, received, stored, deleted) between software systems, computers, mobile devices and network connections (datacenter, cloud). Ensure no application is installed without documentation. Document in a log – all hardware (desktop, laptops, phones, copier/scanners, shredders, printers) (model, serial number, type, quantity, age, warranty, location, contract (PO, lease), cost/depreciation); all software (title, types, versions, license counts, location (business unit, system), custom code, cloud solution or COTS Solution, contract (PO, lease, license), warranty/service agreement, costs Contracts & Reports: Review and identify existing concerns, prioritize these concerns addressed in reports, etc. Review existing contracts to identify what roles & responsibilities lie with internal corporate employees and which lie with 3rd party vendors. Review and identify all SLA reports and deliverables from internal employees and 3rd party vendors to ensure compliance, efficiency, effectiveness (responsiveness, deliverables, service demarcations, incident handling). Frontline review and consult on (prior to execution) all contracts which may affect hardware, network, security access, integration into existing systems, processes, etc. If existing report has remediation obligations, review periodically to ensure completion. Policies & Procedures/Processes: Identify, review and ensure complete, accurate and up-to-date documentation of policies, procedures and workflow processes. Review state and federal laws, regulatory guidance (compliance and industry specific). Work with Legal Counsel to be updated on any changes in laws and regulatory guidance (FDIC, OCC, Fed Reserve, FFIEC, etc.) on a monthly if not more frequent basis.
- Assess, Monitor and Re-Assess all of the Identified Items in the previous slide. (Configuration Management Database (CMDB) or IT Asset Management (ITAM) database). Review maintenance and service contracts for software to ensure they are being updated with latest patches, etc. Review hardware and systems that are nearing their “end of life” (EOL) to incorporate into your strategic plan, budget, and prepare for upgrades, data transfer, or otherwise transitioning that equipment and those systems and the data on those systems. Test and Stress the systems (firewalls, AV solutions, IDS/IPS senors, security procedures (patch management, incident response). Review audit findings, technical requirements and reported metrics to verify controls are effective (external and internal). Review initiating reports, SEIM logs, and establish metrics for performance: patch latency reports (time updates are issued to installed), baseline scan coverage (percentage of organizations covered by antivirus, firewall, malware/APT solutions), ratio of compromised machines to user base, incident response time (report of incident to remediation), percentage of incidents detected by equipment type vs overall number of incidents, mean-time between security incident and recovery, percentage of systems/assets without vulnerability issues after test/scan (ensure all systems are configured and patch updates installed correctly), mean-time between infection to detection, budget for security controls to overall budget. Perform vulnerability scans (check for updates that have not be deployed or installed, security controls disabled or misconfigured); technology scans (traffic flow, user behavior, bandwidth rates at specific times/days); and penetration tests (stress test the system, people, security policies/controls and applications). Identify, track and monitor which controls are “fully implemented,” “partially implemented,” or “not implemented.” Review security (NIST, ISO, OWASP, COBIT, CCM, SANS, etc.) and compliance frameworks (PCI, HIPAA, GLBA, SOX, etc.) documentation to identify outstanding issues, remediation, control gaps, etc. Update policies, procedures and process workflow to incorporate changes in laws, regulations, systems & people, products or services. Update access/authorizations, data retention and destruction or transmittal (emailed or downloaded or printed).
- Remediation & Prevention: management, management, management and document all changes so that the information is easily accessible for IT to understand what configurations were changed, installed, or deleted. Management and documentation of your Company’s systems, assets, security controls, patches. Must first know how data is accessed and routed from your Company’s datacenters, through your Company, and down to the desktop of your users. Need to understand where your Company’s ingress/egress points are located, the location of your edge boundaries (cloud/on premise) and most of all, visibility into how your Company’s internet providers and 3rd party vendors/partners connect remotely into your environment. Automation is your friend and ally. Security controls are safeguards, they are countermeasures deployed to minimize or compensate for security risks. These risks can be to organizations’ physical property, information, computer systems, or other assets. Development of Incident Response Plan and Team – containment, collection, and remediation. See NIST 800-61 rev2 for Guide.