尊敬的 微信汇率:1円 ≈ 0.046089 元 支付宝汇率:1円 ≈ 0.04618元 [退出登录]
SlideShare a Scribd company logo

NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by Doug Landoll

Download as PPTX, PDF
North Texas Chapter of the ISSA
North Texas Chapter of the ISSA

Doug Landoll, CEO, Lantego Four Deadly Traps in Using Information Security Frameworks Frameworks can be used to effectively build or assess information security programs, but applied incorrectly and they effectively mask major program gaps. During this talk, Mr. Landoll will explain the four framework traps and how to avoid them and how to effectively utilize a framework to build or assess an information security program. Mr. Landoll will focus on the NIST 800-53 framework as an example.

Internet
1 of 25
@NTXISSA Four Deadly Traps in Using Information Security Frameworks Doug Landoll CEO Lantego April 25, 2015 www.lantego.com (512) 633-8405 dlandoll@lantego.com
@NTXISSA Session Agenda • Framework Definition & Uses • NIST 800-53 Framework Intro & Uses • Four Traps of Frameworks • Conclusion
@NTXISSA Framework – skeletal structure designed to support something. Security Frameworks – structure to help organize and prioritize information security programs. Framework Definition
@NTXISSA Structure • Organization for the creation or review of an information security program Reference • Connection with other frameworks, standards, and requirements. Completeness • Thorough treatment of security controls Security Framework Uses
@NTXISSA NIST 800-53 Intro: “FISMA Five” FIPS Pub 199: Security Categorization NIST 800-37: Guide for C&A FIPS Pub 200: Minimum Security Controls NIST 800-53: Recommended Security Controls NIST 800-53A: Techniques for Verifying Effectiveness System: Low, Moderate, or High 18 Control Families Certification & Accreditation Process 800+ security controls How to audit controls
@NTXISSA SP 800-53 Catalog of Controls • Organized and structured set of security controls • 18 Security Control Families ID FAMILY ID FAMILY AC Access Control MP Media Protection AT Awareness and Training PE Physical and Environmental Protection AU Audit and Accountability PL Planning CA Security Assessment an Authorization PS Personnel Security CM Configuration Management RA Risk Assessment CP Contingency Planning SA System and Services Acquisition IA Identification and Authentication SC System and Communications Protection IR Incident Response SI System and Information Integrity MA Maintenance PM Program Management*
@NTXISSA SP 800-53 Control Structure • Security Control Structure Control Ref. # and Name Control Section Supplemental Guidance Control Enhancements References Priority & Baseline Allocation
@NTXISSA Control Reference & Name • Within each security control family are a number of security controls. These security controls are numbered. Ref. AU-1 Audit and Accountability Policy and Procedures AU-2 Audit Events AU-3 Content of Audit Records AU-4 Audit Storage Capacity AU-5 Response to Audit Processing Failures AU-6 Audit Review, Analysis, and Reporting AU-7 Audit Reduction and Report Generation AU-8 Time Stamps AU-9 Protection of Audit Information … …
@NTXISSA Control Section • Each security control is describes as a requirement. Control: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
@NTXISSA Supplemental Guidance • Supplemental guidance provides non-prescriptive additional information to guide the definition, development, and implementation of the security control. • Operational considerations • Mission/business considerations • Risk assessment information. Supplemental Guidance: Audit record content that may be necessary to satisfy the requirement of this control includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI- 11.
@NTXISSA Control Enhancements • Control enhancements provide statements of security capability to: • Add function/specificity to the control, or • Increase the strength of the control. Control Enhancements: (1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. (2) CONTENT OF AUDIT RECORDS | CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].
@NTXISSA References • References section includes a list of applicable documents relevant to the security control: • federal laws, • Executive Orders, • directives, • policies, • regulations, • standards, and • guidelines
@NTXISSA Priority & Baseline Allocation • Priority provides guidance for sequencing decisions • Baseline Allocation –starting point for the security control selection process based on system categorization (Low, Moderate, High) MOD HIGHLOW
@NTXISSA Control Assignment • Controls may be augmented through assignment and selection options within control statements. • Assignment: Organizationally defined AU-2 AUDIT EVENTS The organization: … (3) AUDIT EVENT | REVIEWS AND UPDATES The organization reviews and updates the audited events [Assignment: organization-defined frequency]. 800-53 Example
@NTXISSA Control Selection • Controls may be augmented through assignment and selection options within control statements. • Selection: Organizationally defined IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION Control: The information system uniquely identifies and authenticates [Assignment: organizational defined specific and/or types of devices] before establishing a [Selection (one or more): local, remote, network] connection. 800-53 Example
@NTXISSA Security Controls: Risk-based Process • NIST: • An organizational risk assessment validates the initial security control selection and determines if additional controls are needed. • Example: • System categorization (Standard | Protected) determines initial security control selection. • Organizational | System risk assessment provides rationale for additional, compensating, or deleted security controls from initial selection.
@NTXISSA Structure • 18 Security Control Families Reference • Includes crosswalks to ISO27001 & CC • CC -> 800-53; 800-53 -> CC • ISO 27001 -> 800-53; 800-53 -> ISO 27001 Completeness • Organizational, Management and Technical Controls Framework Uses: NIST 800-53 Example
@NTXISSA Policy # Policy Name Policy # Policy Name P8110 Data Classification P8310 Account Management P8120 Information Security Program P8320 Access Control P8130 System Security Acquisition P8330 System Security Audit P8210 Security Awareness Training and Education P8340 Identification and Authentication P8220 System Security Maintenance P8350 System and Communication Protection P8230 Contingency Planning P8410 System Privacy P8240 Incident Response Planning P8250 Media Protection P8260 Physical Protections P8270 Personnel Security Control P9280 Acceptable Use Example Policies Based on 800-53 Framework
@NTXISSA Four Framework Traps 1. False Frameworks 2. Compliance via Assertion 3. Tailoring by Judgment 4. One and Done
@NTXISSA False Frameworks • Regulations and Standards not Frameworks: • Incomplete and focus solely on specific data and security policies • HIPAA • PCI DSS • “Industry Best Practices” • No available references, not industry recognized, likely incomplete and not structured. • AKA: Our own secret sauce • Smoke and Mirrors
@NTXISSA Compliance via Assertion • Embracing a Framework is step one. • Next Steps • Interpret • Apply • Assess • Address gaps
@NTXISSA Tailoring by Judgment • Frameworks are tailorable through an exception process or a risk based process. • Tailoring based on gaps, “judgment”, and cost limits the benefits of a framework
@NTXISSA One and Done • A security program based on a framework will require maintenance • Frameworks get updates • ISO 27001/2: Updated Sept 2013 • NIST 800-53: Updated April 2013 • COBIT 5: Updated 2012 • Other Updates • References, Mappings, Business & Customer Requirements • Reassess regularly
@NTXISSA Conclusions • Determine appropriate framework for the business • Add requirements (these are not frameworks) • Embrace the framework and its tailoring process • Beware framework traps • It’s just a framework – there is a lot more work to do.
@NTXISSA@NTXISSA The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) NTX ISSA Cyber Security Conference – April 24-25, 2015 25 Thank you

Recommended

NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
North Texas Chapter of the ISSA
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure Infrastructure
Infosec
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
Erik Taavila
 
NTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John WhitedNTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John Whited
North Texas Chapter of the ISSA
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
Greenway Health
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
North Texas Chapter of the ISSA
 

Recommended

NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
North Texas Chapter of the ISSA
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure Infrastructure
Infosec
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
Erik Taavila
 
NTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John WhitedNTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John Whited
North Texas Chapter of the ISSA
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
Greenway Health
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
North Texas Chapter of the ISSA
 
Tictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security ServicesTictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security Services
TicTac Data Recovery
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Kevin Fealey
 
Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap
Anshu Gupta
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
centralohioissa
 
NTXISSACSC2 - Why Lead with Risk? by Doug Landoll
NTXISSACSC2 - Why Lead with Risk? by Doug LandollNTXISSACSC2 - Why Lead with Risk? by Doug Landoll
NTXISSACSC2 - Why Lead with Risk? by Doug Landoll
North Texas Chapter of the ISSA
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
Shah Sheikh
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
APNIC
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 
Security Operations Center
Security Operations CenterSecurity Operations Center
Security Operations Center
MDS CS
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Community IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security PolicyCommunity IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security Policy
Community IT Innovators
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum Security
Priyanka Aash
 
Developing an Information Security Roadmap
Developing an Information Security RoadmapDeveloping an Information Security Roadmap
Developing an Information Security Roadmap
Austin Songer
 
Cybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationCybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentation
Monchai Phaichitchan
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
Doug Copley
 
What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813
Kinetic Potential
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
Ben Rothke
 
Cybersecurity Framework - Introduction
Cybersecurity Framework - IntroductionCybersecurity Framework - Introduction
Cybersecurity Framework - Introduction
Muhammad Akbar Yasin
 
Tax Preparers Presentation
Tax Preparers PresentationTax Preparers Presentation
Tax Preparers Presentation
Doug Landoll
 
Mnescot controls monitoring
Mnescot controls monitoringMnescot controls monitoring
Mnescot controls monitoring
mnescot
 

More Related Content

What's hot

Tictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security ServicesTictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security Services
TicTac Data Recovery
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Kevin Fealey
 
Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap
Anshu Gupta
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
centralohioissa
 
NTXISSACSC2 - Why Lead with Risk? by Doug Landoll
NTXISSACSC2 - Why Lead with Risk? by Doug LandollNTXISSACSC2 - Why Lead with Risk? by Doug Landoll
NTXISSACSC2 - Why Lead with Risk? by Doug Landoll
North Texas Chapter of the ISSA
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
Shah Sheikh
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
APNIC
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 
Security Operations Center
Security Operations CenterSecurity Operations Center
Security Operations Center
MDS CS
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Community IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security PolicyCommunity IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security Policy
Community IT Innovators
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum Security
Priyanka Aash
 
Developing an Information Security Roadmap
Developing an Information Security RoadmapDeveloping an Information Security Roadmap
Developing an Information Security Roadmap
Austin Songer
 
Cybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationCybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentation
Monchai Phaichitchan
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
Doug Copley
 
What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813
Kinetic Potential
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
Ben Rothke
 
Cybersecurity Framework - Introduction
Cybersecurity Framework - IntroductionCybersecurity Framework - Introduction
Cybersecurity Framework - Introduction
Muhammad Akbar Yasin
 

What's hot (20)

Tictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security ServicesTictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security Services
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
 
Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
 
NTXISSACSC2 - Why Lead with Risk? by Doug Landoll
NTXISSACSC2 - Why Lead with Risk? by Doug LandollNTXISSACSC2 - Why Lead with Risk? by Doug Landoll
NTXISSACSC2 - Why Lead with Risk? by Doug Landoll
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
 
Security Operations Center
Security Operations CenterSecurity Operations Center
Security Operations Center
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Community IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security PolicyCommunity IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security Policy
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum Security
 
Developing an Information Security Roadmap
Developing an Information Security RoadmapDeveloping an Information Security Roadmap
Developing an Information Security Roadmap
 
Cybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationCybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentation
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
 
What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Cybersecurity Framework - Introduction
Cybersecurity Framework - IntroductionCybersecurity Framework - Introduction
Cybersecurity Framework - Introduction
 

Viewers also liked

Tax Preparers Presentation
Tax Preparers PresentationTax Preparers Presentation
Tax Preparers Presentation
Doug Landoll
 
Mnescot controls monitoring
Mnescot controls monitoringMnescot controls monitoring
Mnescot controls monitoring
mnescot
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical Review
ISA Interchange
 
Securing SCADA
Securing SCADASecuring SCADA
Securing SCADA
Jeffrey Wang , P.Eng
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
Marco Morana
 
Nist 800 82
Nist 800 82Nist 800 82
Nist 800 82
majolic
 
Cisa Certification Overview
Cisa Certification OverviewCisa Certification Overview
Cisa Certification Overview
Al Imran, CISA
 
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aCritical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
James W. De Rienzo
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
James W. De Rienzo
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.
Priyanka Aash
 
Evolution Of IPR
Evolution Of IPREvolution Of IPR
Evolution Of IPR
Lalit Ambastha
 
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon NamCOBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
NUS-ISS
 
Ipr, Intellectual Property Rights
Ipr, Intellectual Property RightsIpr, Intellectual Property Rights
Ipr, Intellectual Property Rights
Vikram Dahiya
 
COBIT®5 - Foundation
COBIT®5 - FoundationCOBIT®5 - Foundation
COBIT®5 - Foundation
Mirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker
 
TYBSC IT SEM 6 IPR/CL
TYBSC IT SEM 6 IPR/CLTYBSC IT SEM 6 IPR/CL
TYBSC IT SEM 6 IPR/CL
WE-IT TUTORIALS
 
Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)
Madhusudan Rao Datrika
 

Viewers also liked (16)

Tax Preparers Presentation
Tax Preparers PresentationTax Preparers Presentation
Tax Preparers Presentation
 
Mnescot controls monitoring
Mnescot controls monitoringMnescot controls monitoring
Mnescot controls monitoring
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical Review
 
Securing SCADA
Securing SCADASecuring SCADA
Securing SCADA
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
 
Nist 800 82
Nist 800 82Nist 800 82
Nist 800 82
 
Cisa Certification Overview
Cisa Certification OverviewCisa Certification Overview
Cisa Certification Overview
 
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aCritical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.
 
Evolution Of IPR
Evolution Of IPREvolution Of IPR
Evolution Of IPR
 
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon NamCOBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
 
Ipr, Intellectual Property Rights
Ipr, Intellectual Property RightsIpr, Intellectual Property Rights
Ipr, Intellectual Property Rights
 
COBIT®5 - Foundation
COBIT®5 - FoundationCOBIT®5 - Foundation
COBIT®5 - Foundation
 
TYBSC IT SEM 6 IPR/CL
TYBSC IT SEM 6 IPR/CLTYBSC IT SEM 6 IPR/CL
TYBSC IT SEM 6 IPR/CL
 
Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)
 

Similar to NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by Doug Landoll

20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)
Peter GEELEN ✔
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
Donald E. Hester
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
Michael Torres
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are coming
Ernest Staats
 
محتويات مادة آمن الشبكات
محتويات مادة آمن الشبكاتمحتويات مادة آمن الشبكات
محتويات مادة آمن الشبكات
eng_SamMoh
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
Ernest Staats
 
L3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptxL3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptx
StevenTharp2
 
CISSP Cheatsheet.pdf
CISSP Cheatsheet.pdfCISSP Cheatsheet.pdf
CISSP Cheatsheet.pdf
shyedshahriar
 
Week 09_Cyber security u.pdf
Week 09_Cyber security u.pdfWeek 09_Cyber security u.pdf
Week 09_Cyber security u.pdf
dhanywahyudi17
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best Practices
Hostway|HOSTING
 
Continuous compliance using data and code
Continuous compliance using data and codeContinuous compliance using data and code
Continuous compliance using data and code
Erkang Zheng
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Standards Customer Council
 
CISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdfCISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdf
AliAlwesabi
 
Data Security Service Offering-v3
Data Security Service Offering-v3Data Security Service Offering-v3
Data Security Service Offering-v3
Abe Newton
 
CH12-CompSec4e.pptx
CH12-CompSec4e.pptxCH12-CompSec4e.pptx
CH12-CompSec4e.pptx
ams1ams11
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
Cloud Standards Customer Council
 

Similar to NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by Doug Landoll (20)

20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are coming
 
محتويات مادة آمن الشبكات
محتويات مادة آمن الشبكاتمحتويات مادة آمن الشبكات
محتويات مادة آمن الشبكات
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
L3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptxL3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptx
 
CISSP Cheatsheet.pdf
CISSP Cheatsheet.pdfCISSP Cheatsheet.pdf
CISSP Cheatsheet.pdf
 
Week 09_Cyber security u.pdf
Week 09_Cyber security u.pdfWeek 09_Cyber security u.pdf
Week 09_Cyber security u.pdf
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best Practices
 
Continuous compliance using data and code
Continuous compliance using data and codeContinuous compliance using data and code
Continuous compliance using data and code
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
CISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdfCISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdf
 
Data Security Service Offering-v3
Data Security Service Offering-v3Data Security Service Offering-v3
Data Security Service Offering-v3
 
CH12-CompSec4e.pptx
CH12-CompSec4e.pptxCH12-CompSec4e.pptx
CH12-CompSec4e.pptx
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 

More from North Texas Chapter of the ISSA

Purple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcuttPurple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcutt
North Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cepNtxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cep
North Texas Chapter of the ISSA
 
Ntxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediationNtxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediation
North Texas Chapter of the ISSA
 
Ntxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliencyNtxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliency
North Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
North Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
North Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersenNtxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
North Texas Chapter of the ISSA
 
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykesNtxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
North Texas Chapter of the ISSA
 
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc groupNtxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
North Texas Chapter of the ISSA
 
Ntxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompsonNtxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompson
North Texas Chapter of the ISSA
 
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczulNtxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
North Texas Chapter of the ISSA
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNtxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
North Texas Chapter of the ISSA
 
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florerNtxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
North Texas Chapter of the ISSA
 
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowiczNtxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higginsNtxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghanNtxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeqNtxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNtxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_muellerNtxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomeyNtxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
North Texas Chapter of the ISSA
 

More from North Texas Chapter of the ISSA (20)

Purple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcuttPurple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcutt
 
Ntxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cepNtxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cep
 
Ntxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediationNtxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediation
 
Ntxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliencyNtxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliency
 
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
 
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
 
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersenNtxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
 
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykesNtxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
 
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc groupNtxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
 
Ntxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompsonNtxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompson
 
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczulNtxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNtxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
 
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florerNtxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
 
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowiczNtxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
 
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higginsNtxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
 
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghanNtxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
 
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeqNtxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNtxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
 
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_muellerNtxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
 
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomeyNtxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
 

Recently uploaded

Call Girls Vijayawada 7742996321 Vijayawada Escorts Service
Call Girls Vijayawada 7742996321 Vijayawada Escorts ServiceCall Girls Vijayawada 7742996321 Vijayawada Escorts Service
Call Girls Vijayawada 7742996321 Vijayawada Escorts Service
huse9823
 
High Profile Call Girls Bangalore ✔ 9352988975 ✔ Hi I Am Divya Vip Call Girl ...
High Profile Call Girls Bangalore ✔ 9352988975 ✔ Hi I Am Divya Vip Call Girl ...High Profile Call Girls Bangalore ✔ 9352988975 ✔ Hi I Am Divya Vip Call Girl ...
High Profile Call Girls Bangalore ✔ 9352988975 ✔ Hi I Am Divya Vip Call Girl ...
hina sharma$A17
 
Nashik Call Girls 💯Call Us 🔝 7374876321 🔝 💃 Independent Female Escort Service
Nashik Call Girls 💯Call Us 🔝 7374876321 🔝 💃 Independent Female Escort ServiceNashik Call Girls 💯Call Us 🔝 7374876321 🔝 💃 Independent Female Escort Service
Nashik Call Girls 💯Call Us 🔝 7374876321 🔝 💃 Independent Female Escort Service
sabanasarkari36
 
Call Girls In Delhi 🔥 +91-9873940964🔥High Profile Call Girl Delhi
Call Girls In Delhi 🔥 +91-9873940964🔥High Profile Call Girl DelhiCall Girls In Delhi 🔥 +91-9873940964🔥High Profile Call Girl Delhi
Call Girls In Delhi 🔥 +91-9873940964🔥High Profile Call Girl Delhi
alisha panday
 
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENTUnlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
rajesh344555
 
🔥Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl Service Avail...
🔥Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl Service Avail...🔥Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl Service Avail...
🔥Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl Service Avail...
aneeta$L14
 
🔥High Profile Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl ...
🔥High Profile Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl ...🔥High Profile Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl ...
🔥High Profile Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl ...
shasha$L14
 
Celebrity Navi Mumbai Call Girls 🥰 9967584737 🥰 Escorts Service Available Mumbai
Celebrity Navi Mumbai Call Girls 🥰 9967584737 🥰 Escorts Service Available MumbaiCelebrity Navi Mumbai Call Girls 🥰 9967584737 🥰 Escorts Service Available Mumbai
Celebrity Navi Mumbai Call Girls 🥰 9967584737 🥰 Escorts Service Available Mumbai
komal sharman06
 
一比一原版圣托马斯大学毕业证(UST毕业证书)学历如何办理
一比一原版圣托马斯大学毕业证(UST毕业证书)学历如何办理一比一原版圣托马斯大学毕业证(UST毕业证书)学历如何办理
一比一原版圣托马斯大学毕业证(UST毕业证书)学历如何办理
uqbyfm
 
Cyber Crime with basics and knowledge to cyber sphere
Cyber Crime with basics and knowledge to cyber sphereCyber Crime with basics and knowledge to cyber sphere
Cyber Crime with basics and knowledge to cyber sphere
RISHIKCHAUDHARY2
 
VVIP Call Girls💯Call Us {{ 7374876321 }} 🔝 💃 Independent Female Escort Service
VVIP Call Girls💯Call Us {{ 7374876321 }} 🔝 💃 Independent Female Escort ServiceVVIP Call Girls💯Call Us {{ 7374876321 }} 🔝 💃 Independent Female Escort Service
VVIP Call Girls💯Call Us {{ 7374876321 }} 🔝 💃 Independent Female Escort Service
graggunno
 
Ethically Aligned Design (Overview - Version 2)
Ethically Aligned Design (Overview - Version 2)Ethically Aligned Design (Overview - Version 2)
Ethically Aligned Design (Overview - Version 2)
prb404
 
🔥Call Girls In Chandigarh 💯Call Us 🔝 6350257716 🔝💃Top Class Call Girl Service...
🔥Call Girls In Chandigarh 💯Call Us 🔝 6350257716 🔝💃Top Class Call Girl Service...🔥Call Girls In Chandigarh 💯Call Us 🔝 6350257716 🔝💃Top Class Call Girl Service...
🔥Call Girls In Chandigarh 💯Call Us 🔝 6350257716 🔝💃Top Class Call Girl Service...
THE MOST
 
169+ Call Girls In Navi Mumbai | 9930245274 | Reliability Escort Service Near...
169+ Call Girls In Navi Mumbai | 9930245274 | Reliability Escort Service Near...169+ Call Girls In Navi Mumbai | 9930245274 | Reliability Escort Service Near...
169+ Call Girls In Navi Mumbai | 9930245274 | Reliability Escort Service Near...
tanichadda371 #v08
 
GDE FORUM | Accessibility Testing with Chrome DevTools
GDE FORUM | Accessibility Testing with Chrome DevToolsGDE FORUM | Accessibility Testing with Chrome DevTools
GDE FORUM | Accessibility Testing with Chrome DevTools
Josefine Schaefer
 
Full Night Fun With Call Girls Lucknow📞7737669865 At Very Cheap Rates Doorste...
Full Night Fun With Call Girls Lucknow📞7737669865 At Very Cheap Rates Doorste...Full Night Fun With Call Girls Lucknow📞7737669865 At Very Cheap Rates Doorste...
Full Night Fun With Call Girls Lucknow📞7737669865 At Very Cheap Rates Doorste...
monuc3758 $S2
 
India Cyber Threat Report of 2024 with year
India Cyber Threat Report of 2024 with yearIndia Cyber Threat Report of 2024 with year
India Cyber Threat Report of 2024 with year
AkashKumar1733
 
Measuring and Understanding the Route Origin Validation (ROV) in RPKI
Measuring and Understanding the Route Origin Validation (ROV) in RPKIMeasuring and Understanding the Route Origin Validation (ROV) in RPKI
Measuring and Understanding the Route Origin Validation (ROV) in RPKI
APNIC
 
Call Girls In Chennai 💯Call Us 🔝 8824825030 🔝Independent Chennai Escorts Serv...
Call Girls In Chennai 💯Call Us 🔝 8824825030 🔝Independent Chennai Escorts Serv...Call Girls In Chennai 💯Call Us 🔝 8824825030 🔝Independent Chennai Escorts Serv...
Call Girls In Chennai 💯Call Us 🔝 8824825030 🔝Independent Chennai Escorts Serv...
payalgupta2u
 
Trends In Cybersecurity | Rise Of Iot Security Solutions | IoT Device Security
Trends In Cybersecurity | Rise Of Iot Security Solutions | IoT Device SecurityTrends In Cybersecurity | Rise Of Iot Security Solutions | IoT Device Security
Trends In Cybersecurity | Rise Of Iot Security Solutions | IoT Device Security
Lumiverse Solutions Pvt Ltd
 

Recently uploaded (20)

Call Girls Vijayawada 7742996321 Vijayawada Escorts Service
Call Girls Vijayawada 7742996321 Vijayawada Escorts ServiceCall Girls Vijayawada 7742996321 Vijayawada Escorts Service
Call Girls Vijayawada 7742996321 Vijayawada Escorts Service
 
High Profile Call Girls Bangalore ✔ 9352988975 ✔ Hi I Am Divya Vip Call Girl ...
High Profile Call Girls Bangalore ✔ 9352988975 ✔ Hi I Am Divya Vip Call Girl ...High Profile Call Girls Bangalore ✔ 9352988975 ✔ Hi I Am Divya Vip Call Girl ...
High Profile Call Girls Bangalore ✔ 9352988975 ✔ Hi I Am Divya Vip Call Girl ...
 
Nashik Call Girls 💯Call Us 🔝 7374876321 🔝 💃 Independent Female Escort Service
Nashik Call Girls 💯Call Us 🔝 7374876321 🔝 💃 Independent Female Escort ServiceNashik Call Girls 💯Call Us 🔝 7374876321 🔝 💃 Independent Female Escort Service
Nashik Call Girls 💯Call Us 🔝 7374876321 🔝 💃 Independent Female Escort Service
 
Call Girls In Delhi 🔥 +91-9873940964🔥High Profile Call Girl Delhi
Call Girls In Delhi 🔥 +91-9873940964🔥High Profile Call Girl DelhiCall Girls In Delhi 🔥 +91-9873940964🔥High Profile Call Girl Delhi
Call Girls In Delhi 🔥 +91-9873940964🔥High Profile Call Girl Delhi
 
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENTUnlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
 
🔥Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl Service Avail...
🔥Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl Service Avail...🔥Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl Service Avail...
🔥Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl Service Avail...
 
🔥High Profile Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl ...
🔥High Profile Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl ...🔥High Profile Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl ...
🔥High Profile Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl ...
 
Celebrity Navi Mumbai Call Girls 🥰 9967584737 🥰 Escorts Service Available Mumbai
Celebrity Navi Mumbai Call Girls 🥰 9967584737 🥰 Escorts Service Available MumbaiCelebrity Navi Mumbai Call Girls 🥰 9967584737 🥰 Escorts Service Available Mumbai
Celebrity Navi Mumbai Call Girls 🥰 9967584737 🥰 Escorts Service Available Mumbai
 
一比一原版圣托马斯大学毕业证(UST毕业证书)学历如何办理
一比一原版圣托马斯大学毕业证(UST毕业证书)学历如何办理一比一原版圣托马斯大学毕业证(UST毕业证书)学历如何办理
一比一原版圣托马斯大学毕业证(UST毕业证书)学历如何办理
 
Cyber Crime with basics and knowledge to cyber sphere
Cyber Crime with basics and knowledge to cyber sphereCyber Crime with basics and knowledge to cyber sphere
Cyber Crime with basics and knowledge to cyber sphere
 
VVIP Call Girls💯Call Us {{ 7374876321 }} 🔝 💃 Independent Female Escort Service
VVIP Call Girls💯Call Us {{ 7374876321 }} 🔝 💃 Independent Female Escort ServiceVVIP Call Girls💯Call Us {{ 7374876321 }} 🔝 💃 Independent Female Escort Service
VVIP Call Girls💯Call Us {{ 7374876321 }} 🔝 💃 Independent Female Escort Service
 
Ethically Aligned Design (Overview - Version 2)
Ethically Aligned Design (Overview - Version 2)Ethically Aligned Design (Overview - Version 2)
Ethically Aligned Design (Overview - Version 2)
 
🔥Call Girls In Chandigarh 💯Call Us 🔝 6350257716 🔝💃Top Class Call Girl Service...
🔥Call Girls In Chandigarh 💯Call Us 🔝 6350257716 🔝💃Top Class Call Girl Service...🔥Call Girls In Chandigarh 💯Call Us 🔝 6350257716 🔝💃Top Class Call Girl Service...
🔥Call Girls In Chandigarh 💯Call Us 🔝 6350257716 🔝💃Top Class Call Girl Service...
 
169+ Call Girls In Navi Mumbai | 9930245274 | Reliability Escort Service Near...
169+ Call Girls In Navi Mumbai | 9930245274 | Reliability Escort Service Near...169+ Call Girls In Navi Mumbai | 9930245274 | Reliability Escort Service Near...
169+ Call Girls In Navi Mumbai | 9930245274 | Reliability Escort Service Near...
 
GDE FORUM | Accessibility Testing with Chrome DevTools
GDE FORUM | Accessibility Testing with Chrome DevToolsGDE FORUM | Accessibility Testing with Chrome DevTools
GDE FORUM | Accessibility Testing with Chrome DevTools
 
Full Night Fun With Call Girls Lucknow📞7737669865 At Very Cheap Rates Doorste...
Full Night Fun With Call Girls Lucknow📞7737669865 At Very Cheap Rates Doorste...Full Night Fun With Call Girls Lucknow📞7737669865 At Very Cheap Rates Doorste...
Full Night Fun With Call Girls Lucknow📞7737669865 At Very Cheap Rates Doorste...
 
India Cyber Threat Report of 2024 with year
India Cyber Threat Report of 2024 with yearIndia Cyber Threat Report of 2024 with year
India Cyber Threat Report of 2024 with year
 
Measuring and Understanding the Route Origin Validation (ROV) in RPKI
Measuring and Understanding the Route Origin Validation (ROV) in RPKIMeasuring and Understanding the Route Origin Validation (ROV) in RPKI
Measuring and Understanding the Route Origin Validation (ROV) in RPKI
 
Call Girls In Chennai 💯Call Us 🔝 8824825030 🔝Independent Chennai Escorts Serv...
Call Girls In Chennai 💯Call Us 🔝 8824825030 🔝Independent Chennai Escorts Serv...Call Girls In Chennai 💯Call Us 🔝 8824825030 🔝Independent Chennai Escorts Serv...
Call Girls In Chennai 💯Call Us 🔝 8824825030 🔝Independent Chennai Escorts Serv...
 
Trends In Cybersecurity | Rise Of Iot Security Solutions | IoT Device Security
Trends In Cybersecurity | Rise Of Iot Security Solutions | IoT Device SecurityTrends In Cybersecurity | Rise Of Iot Security Solutions | IoT Device Security
Trends In Cybersecurity | Rise Of Iot Security Solutions | IoT Device Security
 

NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by Doug Landoll

  • 1. @NTXISSA Four Deadly Traps in Using Information Security Frameworks Doug Landoll CEO Lantego April 25, 2015 www.lantego.com (512) 633-8405 dlandoll@lantego.com
  • 2. @NTXISSA Session Agenda • Framework Definition & Uses • NIST 800-53 Framework Intro & Uses • Four Traps of Frameworks • Conclusion
  • 3. @NTXISSA Framework – skeletal structure designed to support something. Security Frameworks – structure to help organize and prioritize information security programs. Framework Definition
  • 4. @NTXISSA Structure • Organization for the creation or review of an information security program Reference • Connection with other frameworks, standards, and requirements. Completeness • Thorough treatment of security controls Security Framework Uses
  • 5. @NTXISSA NIST 800-53 Intro: “FISMA Five” FIPS Pub 199: Security Categorization NIST 800-37: Guide for C&A FIPS Pub 200: Minimum Security Controls NIST 800-53: Recommended Security Controls NIST 800-53A: Techniques for Verifying Effectiveness System: Low, Moderate, or High 18 Control Families Certification & Accreditation Process 800+ security controls How to audit controls
  • 6. @NTXISSA SP 800-53 Catalog of Controls • Organized and structured set of security controls • 18 Security Control Families ID FAMILY ID FAMILY AC Access Control MP Media Protection AT Awareness and Training PE Physical and Environmental Protection AU Audit and Accountability PL Planning CA Security Assessment an Authorization PS Personnel Security CM Configuration Management RA Risk Assessment CP Contingency Planning SA System and Services Acquisition IA Identification and Authentication SC System and Communications Protection IR Incident Response SI System and Information Integrity MA Maintenance PM Program Management*
  • 7. @NTXISSA SP 800-53 Control Structure • Security Control Structure Control Ref. # and Name Control Section Supplemental Guidance Control Enhancements References Priority & Baseline Allocation
  • 8. @NTXISSA Control Reference & Name • Within each security control family are a number of security controls. These security controls are numbered. Ref. AU-1 Audit and Accountability Policy and Procedures AU-2 Audit Events AU-3 Content of Audit Records AU-4 Audit Storage Capacity AU-5 Response to Audit Processing Failures AU-6 Audit Review, Analysis, and Reporting AU-7 Audit Reduction and Report Generation AU-8 Time Stamps AU-9 Protection of Audit Information … …
  • 9. @NTXISSA Control Section • Each security control is describes as a requirement. Control: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
  • 10. @NTXISSA Supplemental Guidance • Supplemental guidance provides non-prescriptive additional information to guide the definition, development, and implementation of the security control. • Operational considerations • Mission/business considerations • Risk assessment information. Supplemental Guidance: Audit record content that may be necessary to satisfy the requirement of this control includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI- 11.
  • 11. @NTXISSA Control Enhancements • Control enhancements provide statements of security capability to: • Add function/specificity to the control, or • Increase the strength of the control. Control Enhancements: (1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. (2) CONTENT OF AUDIT RECORDS | CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].
  • 12. @NTXISSA References • References section includes a list of applicable documents relevant to the security control: • federal laws, • Executive Orders, • directives, • policies, • regulations, • standards, and • guidelines
  • 13. @NTXISSA Priority & Baseline Allocation • Priority provides guidance for sequencing decisions • Baseline Allocation –starting point for the security control selection process based on system categorization (Low, Moderate, High) MOD HIGHLOW
  • 14. @NTXISSA Control Assignment • Controls may be augmented through assignment and selection options within control statements. • Assignment: Organizationally defined AU-2 AUDIT EVENTS The organization: … (3) AUDIT EVENT | REVIEWS AND UPDATES The organization reviews and updates the audited events [Assignment: organization-defined frequency]. 800-53 Example
  • 15. @NTXISSA Control Selection • Controls may be augmented through assignment and selection options within control statements. • Selection: Organizationally defined IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION Control: The information system uniquely identifies and authenticates [Assignment: organizational defined specific and/or types of devices] before establishing a [Selection (one or more): local, remote, network] connection. 800-53 Example
  • 16. @NTXISSA Security Controls: Risk-based Process • NIST: • An organizational risk assessment validates the initial security control selection and determines if additional controls are needed. • Example: • System categorization (Standard | Protected) determines initial security control selection. • Organizational | System risk assessment provides rationale for additional, compensating, or deleted security controls from initial selection.
  • 17. @NTXISSA Structure • 18 Security Control Families Reference • Includes crosswalks to ISO27001 & CC • CC -> 800-53; 800-53 -> CC • ISO 27001 -> 800-53; 800-53 -> ISO 27001 Completeness • Organizational, Management and Technical Controls Framework Uses: NIST 800-53 Example
  • 18. @NTXISSA Policy # Policy Name Policy # Policy Name P8110 Data Classification P8310 Account Management P8120 Information Security Program P8320 Access Control P8130 System Security Acquisition P8330 System Security Audit P8210 Security Awareness Training and Education P8340 Identification and Authentication P8220 System Security Maintenance P8350 System and Communication Protection P8230 Contingency Planning P8410 System Privacy P8240 Incident Response Planning P8250 Media Protection P8260 Physical Protections P8270 Personnel Security Control P9280 Acceptable Use Example Policies Based on 800-53 Framework
  • 19. @NTXISSA Four Framework Traps 1. False Frameworks 2. Compliance via Assertion 3. Tailoring by Judgment 4. One and Done
  • 20. @NTXISSA False Frameworks • Regulations and Standards not Frameworks: • Incomplete and focus solely on specific data and security policies • HIPAA • PCI DSS • “Industry Best Practices” • No available references, not industry recognized, likely incomplete and not structured. • AKA: Our own secret sauce • Smoke and Mirrors
  • 21. @NTXISSA Compliance via Assertion • Embracing a Framework is step one. • Next Steps • Interpret • Apply • Assess • Address gaps
  • 22. @NTXISSA Tailoring by Judgment • Frameworks are tailorable through an exception process or a risk based process. • Tailoring based on gaps, “judgment”, and cost limits the benefits of a framework
  • 23. @NTXISSA One and Done • A security program based on a framework will require maintenance • Frameworks get updates • ISO 27001/2: Updated Sept 2013 • NIST 800-53: Updated April 2013 • COBIT 5: Updated 2012 • Other Updates • References, Mappings, Business & Customer Requirements • Reassess regularly
  • 24. @NTXISSA Conclusions • Determine appropriate framework for the business • Add requirements (these are not frameworks) • Embrace the framework and its tailoring process • Beware framework traps • It’s just a framework – there is a lot more work to do.
  • 25. @NTXISSA@NTXISSA The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) NTX ISSA Cyber Security Conference – April 24-25, 2015 25 Thank you
  翻译: