ISAlliance SCAP VoIP Project Update 12 June 2009

Transcription

1 1

2 ISAlliance SCAP VoIP Project Update 12 June 2009 Lawrence G Dobranski, CISSP-ISSAP, CISM, CSSLP Leader, Security Architecture & Compliance Carrier VoIP and Applications Solutions Nortel ldobran@nortel.com (613) BUSINESS MADE SIMPLE 2

3 Agenda ISA VoIP Proposal & Status Snapshot Schedule, Deliverables & Status Scope & Objective Statement Resources Next Steps Program Meeting Schedule Technical Working Groups Meeting Backup VoIP Security Standards Participants from Industry Participants from Government 3

4 ISAlliance VoIP Proposal & Status Snapshot To lead and influence the development of industry based SCAP checklists for Voice and VoIP Security for Government, CriAcal Infrastructure and Enterprises (approved Feb 2008 ISAlliance BoD Mee9ng) VoIP Security ImplementaAon and Assurance Workshop NIST (complete, Sept 22 nd rd, 2008) SCAP Voice and VoIP Checklists: Phase I reports due Security Autma9on Conference Oct 2009 Applicability of SCAP to VoIP Baseline Standards Phase II - - proposed Based on current industry standards for Voice and VoIP Security Developed by a joint Government/Industry working groups 4

5 5 Scope, Objective & Deliverables Objective: The development of industry based Baseline SCAP checklists for Voice and VoIP Security for Government, Critical Infrastructure and Enterprises Scope: SCAP Voice and VoIP Checklists Based on current industry standards for Voice and VoIP Security Developed by a joint Government/Industry working group Deliverables: Policy Checklists for VoIP Security ( XCCDF based) XML format standardized checklist representing VoIP Security Policy: CPE Platform reference platform configuration based on source VoIP Security standards CCE Miss configuration reference configuration for VoIP systems CVSS Impact reference framework for characteristics and impacts for vulnerabilities in VoIP Systems Schema for VoIP Systems (OVAL based) XML format specifying vulnerability and configuration tests or changes A collection of XML schema for representing VoIP Solution system information, expressing specific machine states, and reporting the results of an assessment Reference implementation for VoIP Systems API Reference Implementation Reference implementation API for VoIP System Vendors, utilizing management, signaling and media plan model. VoIP Solution vendors will implement specific interpretations of the ISAlliance deliverables for their solutions.

6 Schedule, Deliverables & Status Event Plan Status Kick- off meeang with NIST to present ISA Proposal & iniaal paracipants Jointly host with NIST a VoIP Security Implementa3on and Assurance Workshop to discuss the applicability of SCAP to VoIP and to establish the need for a SCAP checklist for VoIP developed by industry. July 2008 Proposed agenda end of July 2008 Key paracipants IDed mid August 2008 Event Oct 2008 ü Complete ü At NIST s 4th Annual Informa3on Security Automa3on Conference (Sept 22nd 23rd ) ü ISAlliance presented at the conference ü ISAlliance hosted a day long workshop on the applicability of SCAP to VoIP ISA lead working groups formed to: 1) assess applicability of SCAP to VoIP, 2) to determine appropriate reference standards 6 Bi- weekly virtual meeangs Reports complete end August 2009 Reports to be presented at 5th Annual Informa3on Security Automa3on Conference (Sept 2009)

7 SCAP Applicability Working Group Status: Green Accomplishments To Date: Defined Scope of Effort (Basic VoIP Service) Just Voice, Just SIP, No SIP-trunking, No Voic Defined Reference VoIP System Near Term Work Plan (Due 7/4): Conduct TRA on Reference VoIP System Produce Control Matrix base on SP Longer Term Work Plan: Develop Future Applicability Roadmap (Due 7/18) Draft Whitepaper (Due 8/10) Produce Presentation (Due 8/31) Virtual Meetings: meets every 2 nd 1:00 PM Eastern for 1 hour Leadership: Chaired by Paul Sand, President of Salare Security 7

8 SCAP Baseline Working Group Status: Yellow Accomplishments To Date: SCAP 101 and 102 presented Near Term Work Plan (Due 7/4): Strawman work plan developed Longer Term Work Plan: Draft Whitepaper (Due 8/10) Produce Presentation (Due 8/31) Virtual Meetings: Meets every 2nd 1:00 PM Eastern for 1 hour Leadership Co chair (1): Scott Armstrong, VP at Gideon Technologies Co chair (2): TBD 8

9 Detailed Schedule Technical Working Group Meetings: 1 hour duration Applicability Working Group meets every 2 nd 1:00 PM Eastern Baseline Working Group meets every 2 nd 1:00 PM Eastern Applicability & Baseline Working Groups meet in the same week 9

10 Participants 10 Agilent Technologies, Inc. American Century Investments Assuria Ltd. AT&T Boeing Center For Internet Security City of Seattle CNA Insurance Compliance Collaborators, Inc. Damac Holding Department of Commerce Department of Veterans Affairs DHS Direct Computer Resources Disney DoD etrade Financial EWA-Canada Expedia FDA Gideon Technologies Global UniDocs Company HSBC North America IBM ICSAlabs, an Independent Division of Verizon Business Information Security and Forensics Management Team Institute for Defense Analyses Invensys Process Systems Joint Task Force-Global Network Operations Jones Day Lone Star College System ManTech McAfee Microsoft NASA National Security Agency Nortel Networks Northrop Grumman Oklahoma Office of State Finance Palindrome Technologies Pearl Technology Raytheon RedSeal Rolls Royce Salare Security Science Applications International Corporation (SAIC) Secure Acuity Networks, LLC Time Warner Cable US Department of Transportation US-CERT Vanguard VeriSign VoIPshield Systems Inc. Waters Edge Consulting

11 Backup BUSINESS MADE SIMPLE 11

12 Communications Tools -- collaboration site 12 To join contact Barry Foer:

13 13