Presentation is loading. Please wait.

Presentation is loading. Please wait.

ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009.

Published byCory Shelton Modified over 9 years ago

Similar presentations

Presentation on theme: "ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009."— Presentation transcript:

1 ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009

2  We are a developer of enterprise level real-time risk management software  Simple, elegant, easy to use compliance solutions.  Tools to support regulatory laws and regulations such as: FISMA, GLBA, HIPAA, NAIC, NERC and PCI DSS.  Risk and Compliance solutions for public, private, and government organizations.  Risk and Compliance solutions that lower the total cost of (Information Security) Compliance (TCC).

3  What is Risk Reporter ?  Why do I need it?  How does it work?  Where can I see it or try it?  Where can I get more information?

4  What is Risk Reporter ?  Why do I need it?  How does it work?  Where can I see it or try it?  Where can I get more information?

5 Risk Reporter family of “near real-time” automated risk assessments for companies wanting to implement “best practices” compliance or regulated under: FISMA – Federal Information Security Management Act GLBA – Graham Leach Bliley Act NAIC – National Assoc. of Insurance Commissioners HIPAA – Health Info. Portability and Accountability Act PCI-DSS – Payment Card Ind. - Digital Security Standard All of the above regulations will soon have to support continuous monitoring of risk as required by NIST 800-39

6  What is Risk Reporter ?  Why do I need it?  How does it work?  Where can I see it or try it?  Where can I get more information?

7 PARTIAL DISPLAY OF ALMOST CURRENT DOCUMENTS NIST AND FIPS REFERENCED DOCUMENTS

8 Threat Vulnerability Risk Safeguard Exposure Asset Gives rise to Exploits Leads to Can Damage And cause an Can be counter-measured by a Directly Effects

9 Technical Terminology UTM’s – Unified Threat Management devices Firewall with Secure Access, IPS, AV, logging and others IPS/IDS – Intrusion Detection/ Intrusion Prevention System These system monitor the attempted or real access of the network SCAP – Security Content Automation Program A Department of Homeland Security initiative to standardize results SCAP validated Vulnerability Scanner Network vulnerability scanners that have passed the test

10  What is Risk Reporter ?  Why do I need it?  How does it work?  Where can I see it or try it?  Where can I get more information?

11 Three types of input to Risk Assessment 1. Management Data 2. Policy Data 3. Technical Controls This is the most difficult to answer – 600+ or more.. SCAP Vulnerability Scanners UTM / IPS / Firewall Syslog Generate the Compliance Reports Use the ‘Gap’ report to prioritize remediation and put safeguards in place

12

13 H. R. 2458 (FISMA) § 3544. Federal agency responsibilities (a) …The head of each agency shall... (2) ensure that senior agency officials provide information security... through— (A) assessing the risk (B) determining the...information security appropriate (C) implementing policies and procedures... (D) periodically testing...security controls

14 How is a FISMA compliant risk assessment done? FISMA risk assessment procedures are in NIST special publication 800-30. NIST protocols are binding on agencies one year after publication. 800-30 was published in 2002. An update is expected in July of 2008.

15 “Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence” (NIST 800-30, p1).

16 Vulnerability assessment is a part of Risk Assessment. Probability and impact must also be considered. Vulnerability assessment alone cannot meet the FISMA requirements for Risk Assessment.

17 "Organizations should keep in mind that a CVSS score only assesses the relative severity of a vulnerability when compared to other vulnerabilities, and does not take into account any security controls that might mitigate exploitation attempts…” (NISTIR 7435, p 22)

18 The NIST 800-30 definition of probability of risk (page 21) defines probability of risk as follows; High - The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.

19 Required Steps For an NIST Risk Assessment Step 1 System Characterization (Section 3.1) Step 2 Threat Identification (Section 3.2) Step 3 Vulnerability Identification (Section 3.3) Step 4 Control Analysis (Section 3.4) Step 5 Likelihood Determination (Section 3.5) Step 6 Impact Analysis (Section 3.6) Step 7 Risk Determination (Section 3.7) Step 8 Control Recommendations (Section 3.8) Step 9 Results Documentation (Section 3.9) (NIST 800-30, p8)

20 Questionnaires, document review and automated scanning tools (800-30, p12). 3.1 Risk Reporter System Characterization SCAP validated scanner Secutor Magnus is available as a bundle w/ Risk Reporter but we support most scanners. Risk Reporter includes an extensive policy questionnaire keyed to ALL of the NIST minimum safeguards.

21

22

23 Natural threats, human threats and environmental threats (800-30, p13). Microsoft’s classification of threats (1999) Natural Disasters Human Error Malicious Insiders and Malicious Outsiders.

24

25 National Vulnerability Database (NVD), superseded the I-CAT database (800-30, p16). More than 36,000 Vulnerabilities Incorporated into the Risk Reporter SCAP validated scanner. Areas of Vulnerability in management, operations and technical areas all need to be considered (800-30, p18).

26 Vulnerability Sources Arise From: Management Procedure implementation and Internal controls Operational Data acquisition, Data storage, Data retrieval, Data modification and Data transmission

27 Vulnerability Sources also Arise From: Technical System design Environmental Wind, Fire, Flood, Power loss and Vehicle collision

28 The 800-30 process was dramatically simplified by the 2005 publication of 800-53, “Recommended Security Controls for Federal Systems.”

29 The frequently updated 800-53 list, in conjunction with the SCAP validated scan engine, is the basis for much of the Automated Risk Management program from the ACR process. Two key elements in control analysis are anti- virus protection and intrusion protection. Both are highly important precautions provided by Fortinet.

30 For an 800-30 risk assessment, likelihood has a specific legal meaning: High - The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective. Medium - The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.

31 Low - The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised. Since 2004, cybercrime has exceeded illegal drugs as the #1 criminal enterprise Threat-source capability may be assumed.

32 Map Controls to Vulnerabilities List all of the safeguards of NIST 800-53. Map safeguards to the four threat sources (Environmental, Human Error, Malicious Insider and Malicious Outsider) by inspection. Map safeguards to subsections within each threat source.

33 Although 800-30 allows the option of higher levels of granularity, Risk Reporter has kept the recommended settings of Low, Medium and High. NIST 800-39 is the “flagship document” of the NIST 800 series of FISMA compliance guidance documents. Page 1 notes that “Managing risk is not an exact science.”

34 Impact levels under 800-30 have very specific definitions. High - Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury.

35 Medium - Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury. Low - Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest.

36 The calculation of impact levels also maps to 800- 53 safeguards in a fairly obvious fashion. For example, a system that does not meet the requirements of safeguard CP-9 (Information System Backup) will be much more impacted by Fire than a system which is compliant with CP-9 and has a well written contingency plan (CP-2) that includes training (CP-3) and testing (CP-4).

37 The calculation algorithm for the risk assessment is given on page 25 of 800-30. Low, Medium, and High likelihoods of adverse events are scored at 0.1, 0.5 or 1.0, respectively. In the same manner, Low, Medium, and High impacts are scored at 10, 50 and 100 respectively. By multiplying the likelihood score and the impact score, a risk score from 1 (low) to 100 (high) is calculated.

38 The Risk Reporter Gap Analysis report gives a mapping of the featured safeguards which are missing, against the identified risks in order of impact. This report may be used to prioritize changes in safeguards.

39

40 Upon completion of the Automated Risk Management program from the Risk Reporter risk assessment, the initial set of data will produce two reports, a “Baseline Report” showing the risk scores ordered by threat source and a “Risk Assessment Chart.” Samples are shown on the next slide

41

42

43

44

45

46

47 1.What is it? 2.Why do my customers want it? 3.How does it work? 4.Where can I see it? 5.Who has more information?

48 Free Demo Kits with licenses Government Technology Solutions 800-326-5683 info@gvTechSolutions.com

49 One DC agency just did one of these assessments manually. They want this automation software!

Download ppt "ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009."

Similar presentations

Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
PII Breach Management and Risk Assessment

PII Breach Management and Risk Assessment
Click to edit Master subtitle style www.acr2solutions.com www.acr2.org Company Overview, Products and Sample Reports January 2007.

Click to edit Master subtitle style Company Overview, Products and Sample Reports January 2007.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.

Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Vulnerability Management Dimension Data – Tom Gilis 24 November 2011.

Vulnerability Management Dimension Data – Tom Gilis 24 November 2011.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Information Security Framework & Standards

Information Security Framework & Standards
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,

INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Similar presentations

Ads by Google