Presentation is loading. Please wait.

Presentation is loading. Please wait.

Measuring Compliance with Tenable Security Center Joe Zurba | HUIT IT Summit May 23, 2013.

Published byHunter Regan Modified over 9 years ago

Similar presentations

Presentation on theme: "Measuring Compliance with Tenable Security Center Joe Zurba | HUIT IT Summit May 23, 2013."— Presentation transcript:

1 Measuring Compliance with Tenable Security Center Joe Zurba | HUIT IT Summit May 23, 2013

2 2 Agenda: Introduction What is compliance and why is it important? What do we need to comply with? What can we measure? How is measurement accomplished? What are the first steps? What are the next steps? Questions

3 3 Introduction

4 4 What is Compliance? com·pli·ance /kəm ˈ plīəns/ Noun 1. The action or fact of complying with a wish or command. 2. The state or fact of according with or meeting rules or standards. Synonyms agreement - consent - accord - accordance - conformity Compliance means conforming to a rule, such as a specification, policy, standard or law.

5 5 What is Compliance? com·pli·ance /kəm ˈ plīəns/ Noun 1. The action or fact of complying with a wish or command. 2. The state or fact of according with or meeting rules or standards. Synonyms agreement - consent - accord - accordance - conformity Compliance means conforming to a rule, such as a specification, policy, standard or law.

6 6 Why is Compliance Important? Compliance provides a baseline posture from which we can build more mature process and controls Compliance provides standards Compliance helps to lower risk Compliance helps to improve the quality of work Compliance helps to mitigate potential penalties

7 7 What Do We Need To Comply With? Depending on where you are within Harvard, you may need to comply with one or several of the following policies/standards: –HIPAA –FERPA –PCI –Massachusetts 201 CMR 17 –Harvard Information Security Policy –Harvard Research Data Security Policy –Contractual Obligations

8 8 What Can We Measure? Government Compliance –F–FISMA, NIST, DISA STIG, CERT Regulatory Compliance –H–HIPAA, Sarbanes-Oxley (SOX), FERPA Corporate (Institutional) Governance, Risk, and Compliance (GRC) –I–Institutional Policy, PCI, ISO 27001 And… Harvard Security Policy

9 9 How Is Measurement Accomplished? Tenable Security Center Vulnerability Scanning –Used to measure systems for vulnerabilities in Operating Systems and common applications –Uses credentialed scans to unobtrusively log into systems to analyze patch status Tenable Security Center Compliance Scanning –Uses industry standard or custom audit files to measure system configurations –Uses credentialed scans to unobtrusively log into systems

10 10 Audit Files

11 11 Audit Files

12 12 Audit Files

13 13 Scan Policy

14 14 Scan Policy

15 15 Scan Policy

16 16 Scan Policy

17 17 Add a Compliance Scan

18 18 Add a Compliance Scan

19 19 Add a Compliance Scan

20 20 Add a Compliance Scan

21 21 Analyze The Results

22 22 Analyze The Results

23 23 Analyze The Results

24 24 Analyze The Results

25 25 Analyze The Results

26 26 Analyze The Results

27 27 Analyze The Results

28 28 What Are The First Steps? Measuring systems that store or process HRCI (PII) against 10 points of the HEISP: –Private IP addressing –Host-based firewall –Vulnerability Scanning and Patching program –External logging (Splunk) –Active, up-to-date Anti-Virus software –Unique credentials, default passwords changed, shared accounts disabled –Password length and complexity –Brute force credential lock-outs –Logging of successful and unsuccessful login attempts

29 29 What Are The Next Steps? Establish a process for ongoing compliance scanning, reporting and remediation Expand the service offering to comply with other regulatory standards –HIPAA –PCI Define standard build audit files to scan for deviation

30 30 Where To Find More Information For this presentation – Harvard iSite HUIT IT Security - http://hvrd.me/13CFp4Z http://hvrd.me/13CFp4Z ithelp@harvard.edu 617-495-7777

31 31 Questions

32 Joe Zurba | HUIT IT Summit June 6, 2013 Thank you.

Download ppt "Measuring Compliance with Tenable Security Center Joe Zurba | HUIT IT Summit May 23, 2013."

Similar presentations

Agenda What is Compliance? Risk and Compliance Management

Agenda What is Compliance? Risk and Compliance Management
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
Bill McClanahan – Principal Business Consultant LPS Integration.

Bill McClanahan – Principal Business Consultant LPS Integration.
JARED BIRD Nagios: Providing Value Throughout the Organization.

JARED BIRD Nagios: Providing Value Throughout the Organization.
The Regulation Zoo: Dealing With Compliance Within The Firewall World

The Regulation Zoo: Dealing With Compliance Within The Firewall World
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Security Controls – What Works

Security Controls – What Works
University of Alaska System and UAF Information Technology Security Review 2007.

University of Alaska System and UAF Information Technology Security Review 2007.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
NID Password Change Frequency PIC Submission dated 7/10/13 University Audit and Finance & Accounting Tax.

NID Password Change Frequency PIC Submission dated 7/10/13 University Audit and Finance & Accounting Tax.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
New Data Regulation Law 201 CMR 17.00. TJX Video.

New Data Regulation Law 201 CMR TJX Video.

Similar presentations

Ads by Google