SlideShare a Scribd company logo

Asset Based Compilance Assessment

Download as KEY, PDF
R
Richard Dahl
Technology
1 of 22
Control Assessments An Asset-Based Methodology Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Security Axiom ✤ Security is achieved by applying relevant controls to assets in scope ✤ Therefore, security evaluations evaluate the controls applied to the assets, whether the assets are documented or not ✤ A compliance program may be focused on: specific information; business processes; services provided; or industry; however, the security controls implemented do not change based on the focus of the compliance program Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Asset Types ✤ Business Assets ✤ Technical Assets ✤ Locations ✤ Applications ✤ Information ✤ Connections ✤ Organizations ✤ Devices ✤ Personnel ✤ Networks ✤ Proprietary Code Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Asset Classification ✤ Not all like-assets are equal While the security controls possible for all devices are the same ... ... the security controls required may not be... ... depending on the purpose or other attributes of the device ✤ The same principle applies to all other asset types as well Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Asset Classification (Continued) ✤ The firewalls serve as access points to networks ✤ The Web Server and DB Server are part of an N-Tier application infrastructure that centrally provides access to significant NPPI ✤ The Desktops and Laptop are used to access limited NPPI records Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Asset Profile Introduction ✤ Asset Profile purpose: ✤ Associate regulatory requirements to assets that must comply ✤ Associate security controls that can/must be used to implement compliance Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Asset Profile ✤ Type of asset that meets requirements for specified security posture ✤ Examples: ✤ NPPI Repository Server ✤ NPPI Network Access Point ✤ NPPI Workstation ✤ Person with Access to NPPI ✤ NPPI Repository Network ✤ NPPI Repository Application ✤ NPPI Facility ✤ NPPI Data Center Room Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Asset Profile Controls Control NPPI Repository NPPI Workstation Portable NPPI Workstation Authentication Mechanism Two Factor Username and Password Username and Password Must be in Data Center Required Not Required Not Required Hard Disk Encryption Required Not Required Required Redundant Power Required Not Required Not Required Backup Frequency Daily None None Must be on Protected Network Required Not Required Not Required Content Filtering Enabled Required Required Required Critical Patch Installation Within 15 Days Within 30 Days Within 30 Days Disable USB Ports Required Required Required 24 X 7 Aggregation and 24 X 7 Aggregation and 24 X 7 Aggregation and Log Review Correlation w/ Human Review Correlation Correlation Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Asset Profile Assets Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Asset Profile Assessment ✤ Question-based evaluation of assets to determine scope ✤ Simple ✤ Intuitive ✤ Understandable ✤ Have True/False or Multiple Choice Answers Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Scope Assessment Example #1 ✤ Automated system or application receives communication from network outside the control of the third-party and contains: ✤ ACME NPPI Records ✤ ACME Restricted or Security Critical Information ✤ Resultant Scope: ✤ ACME Data Repository Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Scope Assessment Example #1a ✤ Automated system or application centrally processes or permanently stores: ✤ > 100 ACME NPPI Records ✤ > 500 Non-NPPI ACME Customer-Related Data Records ✤ ACME Restricted or Security Critical Information ✤ Resultant Scope: ✤ ACME Data Repository Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Scope Assessment Example #2 ✤ Automated system or application is used to access: ✤ < 100 ACME NPPI Records ✤ < 500 Non-NPPI ACME Customer-Related Data ✤ ACME Internal or Confidential Information ✤ Resultant Scope: ✤ ACME Data Workstation Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Assessment Questionnaires ✤ One Questionnaire for each Asset Profile ✤ Contains controls deemed relevant for each asset-type/Asset Profile combination ✤ Granularly focuses questions for a specific asset or group of assets within scope ✤ Increases efficiency and effectiveness of audit program Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Questionnaire Format Control Family Reference Question Text Yes/No/NA/TI Authentication Management 2 The information system uniquely identifies and authenticates users (or processes acting on behalf of users). Authentication Management 2.1 Authentication of user identities is accomplished through approved mechanisms. Authentication Management 2.1.1 Authentication of user identities is accomplished through the use of usernames and passwords. Authentication Management 2.1.2 Authentication of user identities is accomplished through the use of usernames and biometric devices. Authentication Management 2.1.3 Authentication of user identities is accomplished through the use of usernames and tokens. Authentication Management 2.1.4 Authentication of user identities is accomplished through the use of digital certificates. Authentication Management 2.1.5 Authentication of user identities is accomplished through the use of multi-factor authentication. Authentication Management 2.2 FIPS 201 and Special Publications 800-73 and 800-76 guidance regarding personal identity verification (PIV) card token for use in the unique identification and authentication of federal employees and contractors is followed. Authentication Management 2.3 NIST Special Publication 800-63 guidance on remote electronic authentication is followed. Authentication Management 2.4 User identification and authentication within a specified security perimeter follows NIST SP 800-63 guidance. Authentication Management 3 The information system identifies and authenticates specific devices before establishing a connection. Authentication Management 3.1 The information system uses pre-defined mechanisms to identify and authenticate devices on local and/or wide area networks. Authentication Management 3.1.1 The information system uses shared known information (e.g., Media Access Control (MAC) or Transmission Control Program/Internet Protocol (TCP/IP) addresses) to identify and authenticate devices on local and/or wide area networks. Authentication Management 3.1.2 The information system uses an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol (EAP) or a Radius server with EAP-Transport Layer Security (TLS) authentication) to identify and authenticate devices on local and/or wide area networks. Authentication Management 4 The organization manages user identifiers. Authentication Management 4.1 The organization manages user identifiers by uniquely identifying each user. Authentication Management 4.2 The organization manages user identifiers by verifying the identity of each user. Authentication Management 4.3 The organization manages user identifiers by receiving authorization to issue a user identifier from an appropriate organization official. Authentication Management 4.5 The organization manages user identifiers by disabling user identifier after a pre-defined time period of inactivity. Authentication Management 4.5.1 The organization manages user identifiers by disabling user identifier after 6 months of inactivity. Authentication Management 4.5.2 The organization manages user identifiers by disabling user identifier after 3 months of inactivity. Authentication Management 4.6 The organization manages user identifiers by archiving user identifiers. Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Control Assessment Framework ✤ Compliance Charter: ✤ Who must comply ✤ Why compliance is required ✤ When compliance must be achieved ✤ Security Standard: ✤ Where compliance is applicable (which assets or Scopes) ✤ What must be done (high level) Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Control Assessment Framework ✤ Control Catalog: Asset Profile Map ✤ List of security controls that may be used to secure assets ✤ Compliance Map: ✤ Intersection of Security Standard and Security Control within the context of a Asset Profile ✤ How compliance is achieved Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Compliance Charter WHO ✤ Documents the compliance programs: ✤ Purpose ✤ Scope ✤ Governance WHY WHEN Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Security Standard WHAT ✤ Provides high-level guidance for security ✤ May be tailored to: ✤ Information ✤ Business Process Supported WHERE ✤ Services Provided ✤ Industry Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Control Catalog ✤ Based on industry guidance ✤ NIST SP 800-53 ✤ ISO 27002 ✤ Contains controls for all asset-types ✤ Controls organized by family/domain ✤ Allows granular documentation of appropriate security postures Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Compliance Map ✤ Combined to create Security Questionnaires for each Asset Profile ✤ Each control must be answered: HOW ✤ Yes (Control is in place) ✤ No (Control is not in place) ✤ NA (Control is Not Applicable, provide justification) ✤ TI (Control is Technically Infeasible, provide documentation) Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
Review Process Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License

Recommended

IT Asset Management System for UL-Software Engineering
IT Asset Management System for UL-Software EngineeringIT Asset Management System for UL-Software Engineering
IT Asset Management System for UL-Software EngineeringShiv Koppad
 
Asset Management Presentation
Asset Management PresentationAsset Management Presentation
Asset Management PresentationNeeraj Kumar
 
NIST 800-53 Controls
NIST 800-53 ControlsNIST 800-53 Controls
NIST 800-53 ControlsRichard Dahl
 
Risk Analysis Part 1
Risk Analysis Part 1Risk Analysis Part 1
Risk Analysis Part 1Richard Dahl
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 

Recommended

IT Asset Management System for UL-Software Engineering
IT Asset Management System for UL-Software EngineeringIT Asset Management System for UL-Software Engineering
IT Asset Management System for UL-Software EngineeringShiv Koppad
 
Asset Management Presentation
Asset Management PresentationAsset Management Presentation
Asset Management PresentationNeeraj Kumar
 
NIST 800-53 Controls
NIST 800-53 ControlsNIST 800-53 Controls
NIST 800-53 ControlsRichard Dahl
 
Risk Analysis Part 1
Risk Analysis Part 1Risk Analysis Part 1
Risk Analysis Part 1Richard Dahl
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 

More Related Content

Recently uploaded

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 

Recently uploaded (20)

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Featured

AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 

Featured (20)

AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 

Asset Based Compilance Assessment

  • 1. Control Assessments An Asset-Based Methodology Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 2. Security Axiom ✤ Security is achieved by applying relevant controls to assets in scope ✤ Therefore, security evaluations evaluate the controls applied to the assets, whether the assets are documented or not ✤ A compliance program may be focused on: specific information; business processes; services provided; or industry; however, the security controls implemented do not change based on the focus of the compliance program Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 3. Asset Types ✤ Business Assets ✤ Technical Assets ✤ Locations ✤ Applications ✤ Information ✤ Connections ✤ Organizations ✤ Devices ✤ Personnel ✤ Networks ✤ Proprietary Code Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 4. Asset Classification ✤ Not all like-assets are equal While the security controls possible for all devices are the same ... ... the security controls required may not be... ... depending on the purpose or other attributes of the device ✤ The same principle applies to all other asset types as well Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 5. Asset Classification (Continued) ✤ The firewalls serve as access points to networks ✤ The Web Server and DB Server are part of an N-Tier application infrastructure that centrally provides access to significant NPPI ✤ The Desktops and Laptop are used to access limited NPPI records Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 6. Asset Profile Introduction ✤ Asset Profile purpose: ✤ Associate regulatory requirements to assets that must comply ✤ Associate security controls that can/must be used to implement compliance Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 7. Asset Profile ✤ Type of asset that meets requirements for specified security posture ✤ Examples: ✤ NPPI Repository Server ✤ NPPI Network Access Point ✤ NPPI Workstation ✤ Person with Access to NPPI ✤ NPPI Repository Network ✤ NPPI Repository Application ✤ NPPI Facility ✤ NPPI Data Center Room Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 8. Asset Profile Controls Control NPPI Repository NPPI Workstation Portable NPPI Workstation Authentication Mechanism Two Factor Username and Password Username and Password Must be in Data Center Required Not Required Not Required Hard Disk Encryption Required Not Required Required Redundant Power Required Not Required Not Required Backup Frequency Daily None None Must be on Protected Network Required Not Required Not Required Content Filtering Enabled Required Required Required Critical Patch Installation Within 15 Days Within 30 Days Within 30 Days Disable USB Ports Required Required Required 24 X 7 Aggregation and 24 X 7 Aggregation and 24 X 7 Aggregation and Log Review Correlation w/ Human Review Correlation Correlation Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 9. Asset Profile Assets Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 10. Asset Profile Assessment ✤ Question-based evaluation of assets to determine scope ✤ Simple ✤ Intuitive ✤ Understandable ✤ Have True/False or Multiple Choice Answers Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 11. Scope Assessment Example #1 ✤ Automated system or application receives communication from network outside the control of the third-party and contains: ✤ ACME NPPI Records ✤ ACME Restricted or Security Critical Information ✤ Resultant Scope: ✤ ACME Data Repository Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 12. Scope Assessment Example #1a ✤ Automated system or application centrally processes or permanently stores: ✤ > 100 ACME NPPI Records ✤ > 500 Non-NPPI ACME Customer-Related Data Records ✤ ACME Restricted or Security Critical Information ✤ Resultant Scope: ✤ ACME Data Repository Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 13. Scope Assessment Example #2 ✤ Automated system or application is used to access: ✤ < 100 ACME NPPI Records ✤ < 500 Non-NPPI ACME Customer-Related Data ✤ ACME Internal or Confidential Information ✤ Resultant Scope: ✤ ACME Data Workstation Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 14. Assessment Questionnaires ✤ One Questionnaire for each Asset Profile ✤ Contains controls deemed relevant for each asset-type/Asset Profile combination ✤ Granularly focuses questions for a specific asset or group of assets within scope ✤ Increases efficiency and effectiveness of audit program Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 15. Questionnaire Format Control Family Reference Question Text Yes/No/NA/TI Authentication Management 2 The information system uniquely identifies and authenticates users (or processes acting on behalf of users). Authentication Management 2.1 Authentication of user identities is accomplished through approved mechanisms. Authentication Management 2.1.1 Authentication of user identities is accomplished through the use of usernames and passwords. Authentication Management 2.1.2 Authentication of user identities is accomplished through the use of usernames and biometric devices. Authentication Management 2.1.3 Authentication of user identities is accomplished through the use of usernames and tokens. Authentication Management 2.1.4 Authentication of user identities is accomplished through the use of digital certificates. Authentication Management 2.1.5 Authentication of user identities is accomplished through the use of multi-factor authentication. Authentication Management 2.2 FIPS 201 and Special Publications 800-73 and 800-76 guidance regarding personal identity verification (PIV) card token for use in the unique identification and authentication of federal employees and contractors is followed. Authentication Management 2.3 NIST Special Publication 800-63 guidance on remote electronic authentication is followed. Authentication Management 2.4 User identification and authentication within a specified security perimeter follows NIST SP 800-63 guidance. Authentication Management 3 The information system identifies and authenticates specific devices before establishing a connection. Authentication Management 3.1 The information system uses pre-defined mechanisms to identify and authenticate devices on local and/or wide area networks. Authentication Management 3.1.1 The information system uses shared known information (e.g., Media Access Control (MAC) or Transmission Control Program/Internet Protocol (TCP/IP) addresses) to identify and authenticate devices on local and/or wide area networks. Authentication Management 3.1.2 The information system uses an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol (EAP) or a Radius server with EAP-Transport Layer Security (TLS) authentication) to identify and authenticate devices on local and/or wide area networks. Authentication Management 4 The organization manages user identifiers. Authentication Management 4.1 The organization manages user identifiers by uniquely identifying each user. Authentication Management 4.2 The organization manages user identifiers by verifying the identity of each user. Authentication Management 4.3 The organization manages user identifiers by receiving authorization to issue a user identifier from an appropriate organization official. Authentication Management 4.5 The organization manages user identifiers by disabling user identifier after a pre-defined time period of inactivity. Authentication Management 4.5.1 The organization manages user identifiers by disabling user identifier after 6 months of inactivity. Authentication Management 4.5.2 The organization manages user identifiers by disabling user identifier after 3 months of inactivity. Authentication Management 4.6 The organization manages user identifiers by archiving user identifiers. Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 16. Control Assessment Framework ✤ Compliance Charter: ✤ Who must comply ✤ Why compliance is required ✤ When compliance must be achieved ✤ Security Standard: ✤ Where compliance is applicable (which assets or Scopes) ✤ What must be done (high level) Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 17. Control Assessment Framework ✤ Control Catalog: Asset Profile Map ✤ List of security controls that may be used to secure assets ✤ Compliance Map: ✤ Intersection of Security Standard and Security Control within the context of a Asset Profile ✤ How compliance is achieved Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 18. Compliance Charter WHO ✤ Documents the compliance programs: ✤ Purpose ✤ Scope ✤ Governance WHY WHEN Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 19. Security Standard WHAT ✤ Provides high-level guidance for security ✤ May be tailored to: ✤ Information ✤ Business Process Supported WHERE ✤ Services Provided ✤ Industry Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 20. Control Catalog ✤ Based on industry guidance ✤ NIST SP 800-53 ✤ ISO 27002 ✤ Contains controls for all asset-types ✤ Controls organized by family/domain ✤ Allows granular documentation of appropriate security postures Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 21. Compliance Map ✤ Combined to create Security Questionnaires for each Asset Profile ✤ Each control must be answered: HOW ✤ Yes (Control is in place) ✤ No (Control is not in place) ✤ NA (Control is Not Applicable, provide justification) ✤ TI (Control is Technically Infeasible, provide documentation) Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License
  • 22. Review Process Copyright 2009 SCIF Software, Inc. Released under the Creative Commons Attribution 3.0 License

Editor's Notes