Measuring Compliance with Tenable Security Center

Slides:



Advertisements
Similar presentations
Agenda What is Compliance? Risk and Compliance Management
Advertisements

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Measuring Compliance with Tenable Security Center Joe Zurba | HUIT IT Summit May 23, 2013.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
Bill McClanahan – Principal Business Consultant LPS Integration.
The Regulation Zoo: Dealing With Compliance Within The Firewall World
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Security Controls – What Works
University of Alaska System and UAF Information Technology Security Review 2007.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Payment Card Industry (PCI) Data Security Standard
Installing and Configuring a Secure Web Server COEN 351 David Papay.
NID Password Change Frequency PIC Submission dated 7/10/13 University Audit and Finance & Accounting Tax.
Security Guidelines and Management
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.
Website Hardening HUIT IT Security | Sep
New Data Regulation Law 201 CMR TJX Video.
Uday O. Ali Pabrai, CISSP, CHSS Chief executive, HIPAA Academy Health care & HIPAA Security Remediation.
Securing Windows Servers Using Group Policy Objects
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,
General Awareness Training
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Information Security Update CTC 18 March 2015 Julianne Tolson.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Managing Network Security ref: Overview Using Group Policy to Secure the User Environment Using Group Policy to Configure Account Policies.
GRC - Governance, Risk MANAGEMENT, and Compliance
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.
1 Suronapee Phoomvuthisarn, Ph.D. / NETE4631:Cloud Privacy and Security - Lecture 12.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
SPH Information Security Update September 10, 2010.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
The Cloud: Risks, Rewards and Realities Global customer base, major footprint in Fortune 500 Global presence with dual headquarters in the US & offices.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
© Copyright 2010 Hemenway & Barnes LLP H&B
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
Frontline Enterprise Security
STANFORD UNIVERSITY RESEARCH COMPUTING Are we outliers? Institutional minimum security requirements RUTH MARINSHAW OCTOBER 14, 2015.
1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,
Compliance August 18, Agenda Outline Status Draft of Answers.
QIP Education Session INFORMATION SECURITY Joseph Zurba Information Security & IT Compliance Officer Harvard Medical School February 16, 2015.
OTech CalCloud Security General 1  Meets the operational and compliance requirements of the State  SAM/SIMM  NIST  FedRAMP v2  Other necessary regulatory.
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Secure SQL Database with TDE Thomas Chan SQL Saturday Raleigh.
Understanding Security Policies Lesson 3. Objectives.
1© Copyright 2016 EMC Corporation. All rights reserved. VIEWTRUST SOFTWARE OVERVIEW RISK MANAGEMENT AND COMPLIANCE MONITORING.
SECURITY AND ELECTRONIC COMMUNICATIONS WHAT YOU NEED TO KNOW FOR YOUR AUDIT.
Defining your requirements for a successful security (and compliance
An Information Security Management System
Understanding Security Policies
WSU IT Risk Assessment Process
Major focus areas derived from NIST Guidelines
Configuring Windows Firewall with Advanced Security
Regulatory Compliance
Validating Your Information Security Program (ISP 3 of 3)
Holistic Approach to Information Security
Contact Center Security Strategies
Governance, Risk, and Compliance Systems in Higher Education
CIT 485: Advanced Cybersecurity
Objectives. Objectives Objectives Content Configure Microsoft Azure monitor.
Presentation transcript:

Measuring Compliance with Tenable Security Center Joe Zurba | HUIT IT Security Presentation to FAS Security Liaisons May 23, 2013

Agenda: What is compliance and why is it important? 4/22/2017 Agenda: What is compliance and why is it important? What do we need to comply with? What can we measure? How is measurement accomplished? What are the first steps? What are the next steps? Questions

What is Compliance? com·pli·ance 4/22/2017 What is Compliance? com·pli·ance /kəmˈplīəns/ Noun 1. The action or fact of complying with a wish or command. 2. The state or fact of according with or meeting rules or standards. Synonyms agreement - consent - accord - accordance - conformity Compliance means conforming to a rule, such as a specification, policy, standard or law. Dictionary definition of compliance…. Perhaps, the definition that is more salient to this presentation is…

Why is Compliance Important? 4/22/2017 Why is Compliance Important? Compliance provides a baseline posture from which we can build more mature process and controls Compliance provides standards Compliance helps to lower risk Compliance helps to improve the quality of work Compliance helps to mitigate potential penalties Compliance is a baseline. There hasn’t been a breach of data from a retailer that wasn’t compliance with the PCI DSS. Compliance is the first step in building maturity in process and Compliance provides standards. Standards allow us to perform our jobs more effectively and efficiently. By eliminating the number of variables that we have to deal with and setting a consistency across our processes and systems. Compliance helps to lower risk Compliance helps to improve the quality of work by helping to enforce a higher standard for operations Compliance helps to mitigate potential penalties. E.G. A hard drive is encrypted in order to comply with a policy. If lost, the data lost is not reportable. (HIPAA, MA 201 CMR 17, etc)

What Do We Need To Comply With? 4/22/2017 What Do We Need To Comply With? Depending on where you are within Harvard, you may need to comply with one or several of the following policies/standards: HIPAA FERPA PCI Massachusetts 201 CMR 17 Harvard Information Security Policy Harvard Research Data Security Policy Contractual Obligations Health Insurance Portability and Accountability Act Family Educational Rights and Privacy Act Payment Card Industries Data Security Standard (PCI DSS) MA 201 CMR 17 – protecting the PII of Mass residents HISP HRDSP Contractual obligations such as Data Use Agreements. Seen in research. Can supersede or exceed the requirements of other policies

What Can We Measure? Government Compliance Regulatory Compliance 4/22/2017 What Can We Measure? Government Compliance FISMA, NIST, DISA STIG, CERT Regulatory Compliance HIPAA, Sarbanes-Oxley (SOX), FERPA Corporate (Institutional) Governance, Risk, and Compliance (GRC) Institutional Policy, PCI, ISO 27001 And… Harvard Security Policy FEDERAL INFORMATION SECURITY MANAGEMENT ACT National Institute of Standards and Technology Defense Information Systems Agency Security Technical Implementation Guide Computer Emergency Readiness Team

How Is Measurement Accomplished? 4/22/2017 How Is Measurement Accomplished? Tenable Security Center Vulnerability Scanning Used to measure systems for vulnerabilities in Operating Systems and common applications Uses credentialed scans to unobtrusively log into systems to analyze patch status Tenable Security Center Compliance Scanning Uses industry standard or custom audit files to measure system configurations Uses credentialed scans to unobtrusively log into systems

4/22/2017 Audit Files

4/22/2017 Audit Files

4/22/2017 Audit Files

4/22/2017 Scan Policy

4/22/2017 Scan Policy

4/22/2017 Scan Policy

4/22/2017 Add a Compliance Scan

4/22/2017 Add a Compliance Scan

4/22/2017 Analyze The Results

4/22/2017 Analyze The Results

4/22/2017 Analyze The Results

4/22/2017 Analyze The Results

What Are The First Steps? 4/22/2017 What Are The First Steps? Measuring systems that store or process HRCI (PII) against 10 points of the HEISP: Private IP addressing Host-based firewall Vulnerability Scanning and Patching program External logging (Splunk) Active, up-to-date Anti-Virus software Unique credentials, default passwords changed, shared accounts disabled Password length and complexity Brute force credential lock-outs Logging of successful and unsuccessful login attempts

4/22/2017 What Are The Next Steps? Establish a process for ongoing compliance scanning, reporting and remediation Expand the service offering to comply with other regulatory standards HIPAA PCI Define standard build audit files to scan for deviation

4/22/2017 Questions

Joe Zurba | HUIT IT Security Presentation to Security Liaisons 4/22/2017 Thank you. Joe Zurba | HUIT IT Security Presentation to Security Liaisons Thank you slide May 23, 2013