Compliance Toolbox.

Slides:



Advertisements
Similar presentations
PhoenixPro Procurement. technology. contracts. projects.
Advertisements

DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
Cybersecurity and the Risk Management Framework
ProCognis SOX 404 & COSO Implementation Presentation
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Risk Management Framework
NCHRP 8-60 Risk Analysis Tools and Management Practices to Control Transportation Project Costs Keith R. Molenaar, PhD Stuart D. Anderson, PhD, PE Transportation.
Software Verification and Validation (V&V) By Roger U. Fujii Presented by Donovan Faustino.
Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.
Application Threat Modeling Workshop
Enterprise Architecture
Complying With The Federal Information Security Act (FISMA)
Information Technology Audit
PMSS Final SOW May 22 nd, Statement of Work 2 GLENN RESEARCH CENTER PROJECT MANAGEMENT SUPPORT SERVICES (PMSS) The Contractor shall provide expert.
S/W Project Management
PRM 702 Project Risk Management Lecture #28
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.
Security Assessments FITSP-A Module 5
NIST Special Publication Revision 1
Management & Development of Complex Projects Course Code - 706
CS4723 Software Validation and Quality Assurance Lecture 15 Advanced Topics Test Plans and Management.
1 EIR Accessibility Web Scanning Program Jeff Kline, Statewide Accessibility Coordinator Texas Department of Information Resources October, 2012.
Automating STIGs: The Transition to CCI and SRG
Committee of Sponsoring Organizations of The Treadway Commission Formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting “Internal.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.
What is a Business Analyst? A Business Analyst is someone who works as a liaison among stakeholders in order to elicit, analyze, communicate and validate.
Strategies for Success in the IRS March 22, 2010 Soft-Con Enterprises Incorporated.
Quality Activity Matrix Presented by Sandra Toalston President, SanSeek 1.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Security Automation May 26th, Security Automation: the challenge “Tower of Babel” – Too much proprietary, incompatible information – Costly – Error.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
ANKITHA CHOWDARY GARAPATI
IT Controls Global Technology Auditing Guide 1.
Business Analysis. Business Analysis Concepts Enterprise Analysis ► Identify business opportunities ► Understand the business strategy ► Identify Business.
Defense Security Service Contractor SIPRNet Process June 2013
Software Testing and Software Quality Assurance Process.
An Agile Requirements Approach 1. Step 1: Get Organized  Meet with your team and agree on the basic software processes you will employ.  Decide how.
US Department of State Jay Coplon. My Commitment You will get a sense for how we do C&A You will find value in being here All of your questions will be.
US Department of State Jay Coplon. My Commitment You will get a sense for how we do C&A You will find value in being here All of your questions will be.
ISSM 101 Break-Out Session
© ITT Educational Services, Inc. All rights reserved. IS4680 Security Auditing for Compliance Unit 1 Information Security Compliance.
Michael J. Novak ASQ Section 0511 Meeting, February 8, 2017
Defense Security Service
DoD Template for Application of TLCSM and PBL
Breakthrough School Improvement
Sample Fit-Gap Kick-off
Defense Security Service Risk Management Framework (RMF)
Project Planning: Scope and the Work Breakdown Structure
Risk Management.
Citrix: Proactively Addressing Enterprise Wide Access Compliance with SAP® Access Violation Management Company Citrix Systems Inc. Headquarters Ft. Lauderdale,
Network Life Cycle Created by Michael Law
Cybersecurity and the Risk Management Framework
Introduction to the Federal Defense Acquisition Regulation
I have many checklists: how do I get started with cyber security?
EXECUTIVE – LEGISLATIVE AGENDA FORMULATION
Automating Security in the Cloud
Risk Analysis and HIPAA Security
Enterprise Cybersecurity Upgrade Initiation Department of Information Technology Maria Sanchez, Acting State CIO November 13, 2018.
JOINED AT THE HIP: DEVSECOPS AND CLOUD-BASED ASSETS
RMF Process in the NISP eMASS
Mumtaz Ali Rajput +92 – SOFTWARE PROJECTMANAGMENT– WEEK 4 Mumtaz Ali Rajput +92 – 301-
Viewtrust Continuous Security, Risk and Compliance Management
SAP GRC EOH GRC Solutions Divisional divider Option 1.
How do you build a common agenda?
Joint Application Development (JAD)
Capabilities Briefing
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Enterprise Cybersecurity Initiative Department of Information Technology Vince Martinez, State CIO, Executive Sponsor Lorenzo Ornelas, Managing Director.
Presentation transcript:

Compliance Toolbox

AGENDA Compliance Toolbox Bridging the Gap Documentation STIGs Compliant versus non compliant views

toolbox COMPLIANCE TOOLS: RISK MANAGEMENT FRAMEWORK (RMF) SECURITY TECHNICAL IMPLIMENTATION GUIDES (STIGs) ASSURED COMPLIANCE ASSESSMENT SOLUTION (ACAS) SECURITY CONTENT AUTOMATION PROTOCOL (SCAP) ENTERPRISE MISSION ASSURANCE SUPPORT SERVICES (eMASS)

Stigs https://iase.disa.mil/stigs/pages/a-z.aspx 436 possible STIGs Varying amount of Vulnerability IDs. STIG VIEWER https://iase.disa.mil/stigs/pages/stig-viewing-guidance.aspx

I-ASSURE http://www.i-assure.com RMF STIG 1. Categorize 1. Discover 2. Select 2. Assess 3. Implement 3. Analyze 4. Assess 4. Remediate 5. Authorize 5. Mitigate 6. Monitor

5 STEPS OF STIG COMPLIANCE BRIDGING THE GAP DISA STIG 1. Discover: We will review hardware and software lists, diagrams and perform interviews to determine the baseline STIGs applicable to the environment. 2. Assess: We will use DISA-provided automated tools, i.e. ACAS and SCAP, locally developed tools and manual reviews to determine and document the current compliance state. 3. Analyze: We will perform a gap analysis with our customer to identify quick fixes, potential problems and provide a go-forward strategy for achieving compliance. 5 STEPS OF STIG COMPLIANCE

5 STEPS OF STIG COMPLIANCE BRIDGING THE GAP DISA STIG 5 STEPS OF STIG COMPLIANCE 4. Remediate: We will utilize the strategy defined in the Analyze Phase to execute fixes. Regression and functional testing will occur to ensure that security changes do not negatively impact operations. diagrams and perform interviews to determine the baseline STIGs applicable to the environment. All results will be documented. 5. Mitigate: For items that could not be remediated due to operational constraints, a Plan of Actions and Milestones (POA&M) will be created to identify the vulnerability and the mitigations associated with lowering the raw risk.

CRACKING THE CODE DOCUMENTATION Not Applicable Automatically Compliant

Cracking the Code CCI: Control Correlation Identifier The purpose of CCIs is to allow a high level statement made in a policy document (i.e., a security control) to be “decomposed” and explicitly associated with the low-level security settings that must be assessed to determine compliance with the objectives of that specific statement.

Decoding the STIGs Compliant CAT I CAT II CAT III

Decoding the stigs non compliant Note: There are no results when searching all 5 STIGs for CCI 001485.

Bringing it together the bottom line Expectations: Every 1-3 years minimum It’s going to cost money Cost effective and sustainable low cost Non Layered Approach: >20% Initial Cost of Accreditation >45% to Sustain accreditation over time >70% higher to reaccredit Layered Approach: <50% of the initial cost to reaccredit Cost effective and sustainable lower cost Long term effective for cost and compliance

COMPLIANCE TOOLBOX Questions?