Automating Compliance with Security Content Automation Protocol
|
|
- Amanda York
- 8 years ago
- Views:
Transcription
1 Automating Compliance with Security Content Automation Protocol presented by: National Institute of Standards and Technology
2 Agenda Information Security Current State Security Content Automation Protocol Introduction Current Stakeholders Use Cases Validation Program Background and Status Possible Future Directions for SCAP Summary
3 Current State Security Operations Governance Body Compliance Management Vulnerability Management Configuration Management Asset Management Audit Team OCIO Compliance Management Vulnerability Management Configuration Management Asset Management Standards Body Vulnerability + Threat Increased annual vulnerabilities Increased zero day attacks Decreased exploit timelines Continued mis-configuration Continued exfiltration Continued weak links Operations Team Product Provider Service Provider
4 What is SCAP? How Standardizing the format by which we communicate What Standardizing the information we communicate Protocol Content CVE OVAL CVSS CPE SCAP XCCDF CCE 70 million hits per year 20 new vulnerabilities per day, over 6,000 per year Mis-configuration cross references Reconciles software flaws from US CERT and MITRE repositories Produces XML feed for NVD content
5 Convergent Evolution of Post-Compilation Software Maintenance 2008: NVD will become production-ready for SCAP version : OMB mandates use of SCAP validated tools for assessing Federal Desktop Core Configuration (FDCC) 2007: NCP legacy checklists become available through NVD Web site 2007: NCP promotes SCAP as the preferred format for all new checklists : Announcements that the following guidelines will be available in SCAP format: DISA Security Technical Implementation Guides (STIG) JTF-GNO Information Assurance Vulnerability Management (IAVM) alerts RedHat Security Guides 2006: NVD becomes reference data for SCAP 2006: SCAP reaches Beta formulation with publication of the NIST Draft Interagency Report (IR) : icat becomes NVD 2002: NCP established through Cyber Security R&D Act of : icat established NVD SCAP NCP
6 National Checklist Program Hosted at National Vulnerability Database Website
7 How SCAP Works Report Checklist XCCDF Platform CPE Misconfiguration CCE General Impact CVSS Software Flaw CVE General Impact CVSS Specific Impact CVSS Results Specific Impact CVSS Results Commercial Government Tools Test Procedures OVAL Patches OVAL
8 Linking Configuration to Compliance Keyed on SP <Group id="ia-5" hidden="true"> Security Controls <title>authenticator Management</title> <reference>iso/iec 17799: , </reference> <reference>nist : , , , , , , , , </reference> <reference>gao FISCAM: AC-3.2</reference> Traceability to Mandates <reference>dod : IAKM-1, IATS-1</reference> <reference>dcid 6/3: 4.B.2.a(7), 4.B.3.a(11)</reference> </Group> <Rule id="minimum-password-length" selected="false" weight="10.0"> <reference>cce-100</reference> <reference>disa STIG Section </reference> <reference>disa Gold Disk ID 7082</reference> <reference>pdi IAIA-12B</reference> <reference> Section Table A-1.4</reference> <reference>nsa Chapter 4 - Table 1 Row 4</reference> <requires idref="ia-5"/> [pointer to OVAL test procedure] </Rule> Rationale for security configuration Traceability to Guidelines
9 Federal Risk Management Framework SP / SP A Monitor Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness SP Authorize Information System Determine risk to agency operations, agency assets, or individuals and, if acceptable, authorize information system operation SP A Assess Security Controls Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements) Starting Point FIPS 199 / SP Categorize Information System Define criticality /sensitivity of information system according to potential impact of loss SP Implement Security Controls Implement security controls; apply security configuration settings FIPS 200 / SP Select Security Controls Select baseline (minimum) security controls to protect the information system; apply tailoring guidance as appropriate SP / SP Supplement Security Controls Use risk assessment results to supplement the tailored security control baseline as needed to ensure adequate security and due diligence SP Document Security Controls Document in the security plan, the security requirements for the information system and the security controls planned or in place
10 Integrating IT and IT Security Through SCAP Common Vulnerability Enumeration Common Platform Enumeration Common Configuration Enumeration extensible Checklist Configuration Description Format Open Vulnerability and Assessment Language Common Vulnerability Scoring System Vulnerability Management CVE OVAL CVSS Misconfiguration Asset Management CPE SCAP CCE Configuration Management XCCDF Compliance Management
11 Agility in a Digital World Organization One Information System Business / Mission Information Flow Organization Two Information System System Security Plan Security Assessment Report Plan of Action and Milestones Security Information System Security Plan Security Assessment Report Plan of Action and Milestones Determining the risk to the first organization s operations and assets and the acceptability of such risk Determining the risk to the second organization s operations and assets and the acceptability of such risk The objective is to achieve visibility into prospective business/mission partners information security programs BEFORE critical/sensitive communications begin establishing levels of security due diligence and trust.
12 Stakeholder and Contributor Landscape: Industry Product Teams and Content Contributors Ai Metrix
13 Stakeholder and Contributor Landscape: Federal Agencies SCAP Infrastructure, Beta Tests, Use Cases, and Early Adopters DHS NSA OSD DOJ Army OMB IC DISA EPA NIST DOS
14 Use Case: The Office of Secretary of Defense Computer Network Defense Data Pilot CND Data Model Overview IP CPE Vuln Asset Config IDs Env Info HW SW net CPE CCE IP MAC EIN FQDN cert owner MAC location IP CPE location Category DHCP Event IP Vulnerability CVSS Remedy CCE CVE CPE MAC Event NAT Event IP CPE CVE CCE Sig Event CVE CPE CEE Event IP/MAC CPE CVE CCE CPE Event IP CPE Assessment Incident Threat IDs Technique Exploit Actor IP Actor Asset IP IP CPE CME CVE Vuln CME Exploit Vuln CME Anomaly Evnt CEE Flow Event IP Log Event CEE
15 Use Case: The Office of Management and Budget Federal Desktop Core Configuration OMB 31 July 2007 Memo to CIOs: Establishment of Windows XP and VISTA Virtual Machine and Procedures for Adopting the Federal Desktop Core Configurations As we noted in the June 1, 2007 follow-up policy memorandum M-07-18, Ensuring New Acquisitions Include Common Security Configurations, a virtual machine would be established to provide agencies and information technology providers access to Windows XP and VISTA images. The National Institute of Standards and Technology (NIST), Microsoft, the Department of Defense, and the Department of Homeland Security have now established a website hosting the virtual machine images, which can be found at: Your agency can now acquire information technology products that are self-asserted by information technology providers as compliant with the Windows XP & VISTA FDCC, and use NIST s Security Content Automation Protocol (S-CAP) to help evaluate providers self-assertions. Information technology providers must use S-CAP validated tools, as they become available, to certify their products do not alter these configurations, and agencies must use these tools when monitoring use of these configurations.
16 SCAP Validation Labs and Products Validated Products: 5 vendors 6 products 7 capabilities-based validations 2 standards-based validations Accredited Laboratories: Electronic Warfare Associates (EWA) Canada ICSA Labs - an independent division of Verizon Business Science Applications International Corporation (SAIC) ATSEC Information Security Corporation COACT Incorporated, CAFE Laboratory
17 SCAP Validation In-Progress and Potential
18 Where Can SCAP Go? Continue to reduce the boundary between written specifications and action Expand to implementation and remediation of vulnerabilities and security configurations Extend into additional security technologies (e.g., IDS/IPS, firewall) and into other IT technologies (e.g., asset and configuration management) We are open to additional use cases
19 Summary SCAP gives us a transparent, interoperable, repeatable, and ultimately automated way to assess security software flaws and misconfiguration in the enterprise Efficiencies gained through SCAP give our IT security teams additional cycles to address other important aspects of IT security By linking compliance to configuration, SCAP makes compliance reporting a byproduct of good security, allowing IT security teams to focus on securing the enterprise
20 More Information National Checklist Program National Vulnerability Database SCAP Checklists or SCAP Capable Products SCAP Events NIST FDCC Web Site FDCC SCAP Checklists FDCC Settings Virtual Machine Images Group Policy Objects NIST SCAP Mailing Lists
21 Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA Steve Quinn Peter Mell (301) (301) Karen Scarfone Murugiah Souppaya (301) (301) Matt Barrett Information and Feedback (301) Web: Comments:
22 Additional Information
23 Current State: Compliance and Configuration Management FISMA HIPAA SOX DCID COMSEC 97 DoD ISO Vendor 3 rd Party SP Title III??? DCID6/3 NSA Req DoD IA Controls 17799/ Compliance Management SP Security Agency Guides NSA Guides DISA STIGS & Checklists??? Guide Guide Finite Set of Possible Known IT Risk Controls & Application Configuration Options Agency Tailoring Mgmt, Operational, Technical Risk Controls Windows XP SP1 SP2 Enterprise Mobile Stand Alone SSLF High Moderate Low Millions of settings to manage Configuration Management OS or Application Version/ Role Major Patch Level Environment Impact Rating or MAC /CONF
24 Current State: Vulnerability Trends 9,000 8,000 7,000 6,000 5,000 4,000 3,000 2,000 1,000 0 CERT/CC NVD OSVDB Symantec A 20-50% increase over previous years Decreased timeline in exploit development Increased prevalence of zero day exploits Three of the SANS Top 20 Internet Security Attack Targets 2006 were categorized as configuration weaknesses. Many of the remaining 17 can be partially mitigated via proper configuration.
25 Security Content Automation Protocol (SCAP) Standardizing How We Communicate CVE Common Vulnerability Enumeration Standard nomenclature and dictionary of security related software flaws CCE Common Configuration Enumeration Standard nomenclature and dictionary of software misconfigurations CPE Common Platform Enumeration Standard nomenclature and dictionary for product naming XCCDF extensible Checklist Configuration Description Format Standard XML for specifying checklists and for reporting results of checklist evaluation OVAL Open Vulnerability and Assessment Language Standard XML for test procedures Cisco, Qualys, Symantec, Carnegie Mellon University CVSS Common Vulnerability Scoring System Standard for measuring the impact of vulnerabilities
26 Existing Federal Content Standardizing What We Communicate In response to NIST being named in the Cyber Security R&D Act of 2002 Encourages vendor development and maintenance of security guidance Currently hosts 114 separate guidance documents for over 141 IT products Translating this backlog of checklists into the Security Content Automating Protocol (SCAP) Participating organizations: DISA, NSA, NIST, Hewlett-Packard, CIS, ITAA, Oracle, Sun, Apple, Microsoft, Citadel, LJK, Secure Elements, ThreatGuard, MITRE Corporation, G2, Verisign, Verizon Federal, Kyocera, Hewlett-Packard, ConfigureSoft, McAfee, etc. Over 70 million hits per year 29,000 vulnerabilities About 20 new vulnerabilities per day Mis-configuration cross references to: NIST SP Security Controls (All 17 Families and 163 controls) DoD IA Controls DISA VMS Vulnerability IDs Gold Disk VIDs DISA VMS PDI IDs NSA References DCID ISO Reconciles software flaws from: US CERT Technical Alerts US CERT Vulnerability Alerts (CERTCC) MITRE OVAL Software Flaw Checks MITRE CVE Dictionary Produces XML feed for NVD content
27 SCAP Validation Program Capabilities Capability FDCC SCAP CVE CCE CPE XCCDF OVAL CVSS FDCC Scanner X X X X X X X X Authenticated Configuration Scanner X X X X X X Authenticated Vulnerability and Patch Scanner X X X X X Unauthenticated Vulnerability Scanner X X X X Intrusion Detection/Prevention Systems X X X X Patch Remediation X X X X Mic-Configuration Remediation X X X X Asset Management X X X Asset Database X X X Vulnerability Database X X X X Mis-Configuration Database X X X X Malware Tool X X X X NOTE: Xs indicate some degree of testing, but not necessarily all-inclusive testing, for the indicated standard NOTE: Grey font indicates capabilities that are not yet available for test
28 SCAP Value Feature Standardizes how computers communicate vulnerability information the protocol Standardizes what vulnerability information computers communicate the content Based on open standards Uses configuration and asset management standards Applicable to many different Risk Management Frameworks Assess, Monitor, Implement Detailed traceability to multiple security mandates and guidelines Keyed on NIST SP security controls Benefit Enables interoperability for products and services of various manufacture Enables repeatability across products and services of various manufacture Reduces content-based variance in operational decisions and actions Harnesses the collective brain power of the masses for creation and evolution Adapts to a wide array of use cases Mobilizes asset inventory and configuration information for use in vulnerability and compliance management Reduces time, effort, and expense of risk management process Automates portions of compliance demonstration and reporting Reduces chance of misinterpretation between Inspector General/ auditors and operations teams Automates portions of FISMA compliance demonstration and reporting
Security Content Automation Protocol for Governance, Risk, Compliance, and Audit
UNCLASSIFIED Security Content Automation Protocol for Governance, Risk, Compliance, and Audit presented by: Tim Grance The National Institute of Standards and Technology UNCLASSIFIED Agenda NIST s IT Security
More informationFederal Desktop Core Configuration (FDCC)
Federal Desktop Core Configuration (FDCC) Presented by: Saji Ranasinghe Date: October, 2007 FDCC Federal Desktop Core Configuration (FDCC) Standardized Configuration with Hardened Security Settings to
More informationFDCC & SCAP Content Challenges. Kent Landfield Director, Risk and Compliance Security Research McAfee Labs
FDCC & SCAP Content Challenges Kent Landfield Director, Risk and Compliance Security Research McAfee Labs Where we have been 1 st Security Automation Workshop nearly 20 people in a small room for the day
More informationSecure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities
Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Sean Barnum sbarnum@mitre.org September 2011 Overview What is SCAP? Why SCAP?
More informationBMC Client Management - SCAP Implementation Statement. Version 12.0
BMC Client Management - SCAP Implementation Statement Version 12.0 BMC Client Management - SCAP Implementation Statement TOC 3 Contents SCAP Implementation Statement... 4 4 BMC Client Management - SCAP
More informationHow To Use A Policy Auditor 6.2.2 (Macafee) To Check For Security Issues
Vendor Provided Validation Details - McAfee Policy Auditor 6.2 The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. Statement of
More informationSCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference
SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference Presentation Overview 1. The Business Challenge 2. Securing Voice over IP Networks 3. The ISA VoIP Security
More informationAn Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance
An Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance Presented by: John Banghart, Booz Allen Hamilton SCAP Validation Project Lead Thoughts on Current State
More informationContinuous Monitoring
Continuous Monitoring The Evolution of FISMA Compliance Tina Kuligowski Tina.Kuligowski@Securible.com Overview Evolution of FISMA Compliance NIST Standards & Guidelines (SP 800-37r1, 800-53) OMB Memorandums
More informationHow To Monitor Your Entire It Environment
Preparing for FISMA 2.0 and Continuous Monitoring Requirements Symantec's Continuous Monitoring Solution White Paper: Preparing for FISMA 2.0 and Continuous Monitoring Requirements Contents Introduction............................................................................................
More informationMassively Scaled Security Solutions for Massively Scaled IT
Massively Scaled Security Solutions for Massively Scaled IT Michael Smith, SecTor 2009 Who is Michael Smith? 8 years active duty army Graduate of Russian basic course, Defense Language Institute, Monterey,
More informationSTIGs,, SCAP and Data Metrics
Defense Information Systems Agency A Combat Support Agency STIGs,, SCAP and Data Metrics Roger S. Greenwell, CISSP, CISA, CISM Technical Director / Capabilities Implementation Division DISA Field Security
More informationAn Enterprise Continuous Monitoring Technical Reference Architecture
An Enterprise Continuous Monitoring Technical Reference Architecture 12/14/2010 Presenter: Peter Mell Senior Computer Scientist National Institute of Standards and Technology http://twitter.com/petermmell
More informationHow To Get The Nist Report And Other Products For Free
National Institute of Standards and Technology (NIST) The Information Technology Lab Computer Security Division (893) Now What? What does NIST have for you to use and how do you get it? How do you contact
More informationDoD Secure Configuration Management (SCM) Operational Use Cases
Defense Information Systems Agency A Combat Support Agency DoD Secure Configuration Management (SCM) Operational Use Cases DISA PEO-MA Computer Network Defense Enclave Security 26 September 2010 This brief
More informationCDM Vulnerability Management (VUL) Capability
CDM Vulnerability Management (VUL) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Vulnerability Management Continuous Diagnostics and Mitigation
More informationWhite Paper. Understanding NIST 800 37 FISMA Requirements
White Paper Understanding NIST 800 37 FISMA Requirements Contents Overview... 3 I. The Role of NIST in FISMA Compliance... 3 II. NIST Risk Management Framework for FISMA... 4 III. Application Security
More informationARF, ARCAT, and Summary Results. Lt Col Joseph L. Wolfkiel
ARF, ARCAT, and Summary Results Lt Col Joseph L. Wolfkiel Enterprise-Level Assessment and Reporting The Concept Assessment Results Format (ARF) Assessment Summary Results (ASR) The Assessment Results Consumer
More informationHow To Improve Nasa'S Security
DECEMBER 5, 2011 AUDIT REPORT OFFICE OF AUDITS NASA FACES SIGNIFICANT CHALLENGES IN TRANSITIONING TO A CONTINUOUS MONITORING APPROACH FOR ITS INFORMATION TECHNOLOGY SYSTEMS OFFICE OF INSPECTOR GENERAL
More informationWasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute
Wasting Money on the Tools? Automating the Most Critical Security Controls Bonus: Gaining Support From Top Managers for Security Investments Mason Brown Director, The SANS Institute The Most Trusted Name
More informationMaking Vulnerability Management Operational
QuickTime and a TIFF (Uncompressed) decompressor are needed to see this picture. Making Vulnerability Management Operational Track 1 11:45am-12:30pm/Ballroom A Robert A. Martin The MITRE Corporation Preview
More informationSecurity compliance automation with Red Hat Satellite
Security compliance automation with Red Hat Satellite Matt Micene Solution Architect, DLT Solutions @cleverbeard @nzwulfin Created with http://wordle.net Compliance is a major problem About half of the
More informationSMITHSONIAN INSTITUTION
SMITHSONIAN INSTITUTION FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012 INDEPENDENT EVALUATION REPORT TABLE OF CONTENTS PURPOSE 1 BACKGROUND 1 OBJECTIVES, SCOPE, AND METHODOLOGY 2 SUMMARY OF RESULTS
More informationTransformational Vulnerability Management Through Standards. Robert A. Martin MITRE Corporation
Transformational Vulnerability Management Through Standards Robert A. Martin MITRE Corporation The Department of Defense s new enterprise licenses for vulnerability assessment and remediation tools [1,2]
More informationSecurity Controls Assessment for Federal Information Systems
Security Controls Assessment for Federal Information Systems Census Software Process Improvement Program September 11, 2008 Kevin Stine Computer Security Division National Institute of Standards and Technology
More informationU.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
More informationVRDA Vulnerability Response Decision Assistance
VRDA Vulnerability Response Decision Assistance Art Manion CERT/CC Yurie Ito JPCERT/CC EC2ND 2007 2007 Carnegie Mellon University VRDA Rationale and Design 2 Problems Duplication of effort Over 8,000 vulnerability
More informationCompliance Risk Management IT Governance Assurance
Compliance Risk Management IT Governance Assurance Solutions That Matter Introduction to Federal Information Security Management Act (FISMA) Without proper safeguards, federal agencies computer systems
More informationGuide to Enterprise Patch Management Technologies
NIST Special Publication 800-40 Revision 3 Guide to Enterprise Patch Management Technologies Murugiah Souppaya Karen Scarfone C O M P U T E R S E C U R I T Y NIST Special Publication 800-40 Revision 3
More informationTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Treasury Inspector General for Tax Administration Federal Information Security Management Act Report October 27, 2009 Reference Number: 2010-20-004 This
More informationPromoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation
More informationArchived NIST Technical Series Publication
Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated
More informationFISMA Implementation Project
FISMA Implementation Project The Associated Security Standards and Guidelines Dr. Ron Ross Computer Security Division Information Technology Laboratory 1 Today s Climate Highly interactive environment
More informationQualys PC/SCAP Auditor
Qualys PC/SCAP Auditor Getting Started Guide August 3, 2015 COPYRIGHT 2011-2015 BY QUALYS, INC. ALL RIGHTS RESERVED. QUALYS AND THE QUALYS LOGO ARE REGISTERED TRADEMARKS OF QUALYS, INC. ALL OTHER TRADEMARKS
More informationNIST Cyber Security Activities
NIST Cyber Security Activities Dr. Alicia Clay Deputy Chief, Computer Security Division NIST Information Technology Laboratory U.S. Department of Commerce September 29, 2004 1 Computer Security Division
More informationEFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA
EFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA Paul R. Lazarr, CISSP, CISA, CIPP, CRISK Sr. Managing Consultant, IBM Cybersecurity and Biometrics January 21, 2016 PERSONAL BACKGROUND
More informationUNITED STATES PATENT AND TRADEMARK OFFICE. AGENCY ADMINISTRATIVE ORDER 212-04 Agency Administrative Order Series. Secure Baseline Attachment
UNITED STATES PATENT AND TRADEMARK OFFICE AGENCY ADMINISTRATIVE ORDER 212-04 Agency Administrative Order Series Secure Baseline Attachment Date of Issuance: Effective Date: TABLE OF CONTENTS I. Purpose
More informationPromoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation
More informationSolving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense
Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense John M. Gilligan Information systems Security Association National Capital Chapter January 19, 2010 1 Topics Background
More information2 Copyright 2015 M. E. Kabay. All rights reserved. 4 Copyright 2015 M. E. Kabay. All rights reserved.
CSH5 Chapter 40 Managing Patches & Vulnerabilities Peter Mell & Karen Kent Scarfone Topics Introduction to Patch & Vulnerability Management Why Use Automated Patching Solutions? Patch & Vulnerability Management
More informationHealthcare Information Security Governance and Public Safety II
Healthcare Information Security Governance and Public Safety II Technical Track Seminar Agenda 8/26/2009 1 Vulnerability Assessment, Vulnerability Management and Penetration Testing PART 1 9:00 10:30 Anatomy
More informationSecurity Orchestration with IF-MAP
Security Orchestration with IF-MAP Gary Holland, Lumeta/IMRI 2 November 2011 Copyright 2010 Trusted Computing Group Agenda Threat Landscape and Federal Networks Trusted Network Connect Explanation of IF-MAP
More informationSecurity Information and Event Management
Security Information and Event Management sponsored by: ISSA Web Conference April 26, 2011 Start Time: 9 am US Pacific, Noon US Eastern, 5 pm London Welcome Conference Moderator Phillip H. Griffin ISSA
More informationFY15 Quarter 1 Chief Information Officer Federal Information Security Management Act Reporting Metrics V1.0
FY15 Quarter 1 Chief Information Officer Federal Information Security Management Act Reporting Metrics V1.0 Prepared by: US Department of Homeland Security Office of Cybersecurity and Communications Federal
More informationTwenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance Draft 1.0: February 23, 2009
Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance Draft 1.0: February 23, 2009 NOTICE to readers of this draft document: Criticisms and suggestions
More informationApplying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT)
NIST Interagency Report 7800 (Draft) Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT) David Waltermire, Adam Halbardier,
More informationNetIQ FISMA Compliance & Risk Management Solutions
N E T I Q C O M P L I A N C E S E R I E S NetIQ FISMA Compliance & Risk Management Solutions The Federal Information Security Management Act (FISMA) requires federal agencies to create and implement a
More informationImproving Security Vulnerability and Configuration Management through a Service Oriented Architecture Approach
Improving Security Vulnerability and Configuration Management through a Service Oriented Architecture Approach Overcoming the challenges to security vulnerability and compliance management through NIST
More informationChung-Huang Yang Kaohsiung Normal University, Taiwan http://security.nknu.edu.tw/ November 24th, 2015 @ Central South University
Chung-Huang Yang Kaohsiung Normal University, Taiwan http://security.nknu.edu.tw/ November 24th, 2015 @ Central South University Outline Introduction Digital Forensics for Mobile Devices Configuration
More informationhttp://www.disa.mil/scm
Enclave Security: Secure Configuration Management (SCM) http://www.disa.mil/scm Agenda SCM Introduction SCM Lifecycle SCM Objectives SCM Community Model Current Capability Framework Governance Model Schedule
More informationSecurity Control Standard
Department of the Interior Security Control Standard Risk Assessment January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information
More informationTowards security management in the cloud utilizing SECaaS
Towards security management in the cloud utilizing SECaaS JAN MÉSZÁROS University of Economics, Prague Department of Information Technologies W. Churchill Sq. 4, 130 67 Prague 3 CZECH REPUBLIC jan.meszaros@vse.cz
More informationGuide for Security-Focused Configuration Management of Information Systems
NIST Special Publication 800-128 Guide for Security-Focused Configuration Management of Information Systems Arnold Johnson Kelley Dempsey Ron Ross Sarbari Gupta Dennis Bailey I N F O R M A T I O N S E
More informationIntroduction to QualysGuard IT Compliance SaaS Services. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe
Introduction to QualysGuard IT Compliance SaaS Services Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe A Unified and Continuous View of ICT Security, Risks and
More informationUse of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
NIST Special Publication 800-51 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme Recommendations of the National Institute of Standards and Technology Peter Mell Tim Grance
More informationAHS Flaw Remediation Standard
AGENCY OF HUMAN SERVICES AHS Flaw Remediation Standard Jack Green 10/14/2013 The purpose of this procedure is to facilitate the implementation of the Vermont Health Connect s security control requirements
More informationQRadar SIEM 6.3 Datasheet
QRadar SIEM 6.3 Datasheet Overview Q1 Labs flagship solution QRadar SIEM is unrivaled in its ability to provide an organization centralized IT security command and control. The unique capabilities of QRadar
More informationManage Vulnerabilities (VULN) Capability Data Sheet
Manage Vulnerabilities (VULN) Capability Data Sheet Desired State: - Software products installed on all devices are free of known vulnerabilities 1 - The list of known vulnerabilities is up-to-date Desired
More informationTotal Protection for Compliance: Unified IT Policy Auditing
Total Protection for Compliance: Unified IT Policy Auditing McAfee Total Protection for Compliance Regulations and standards are growing in number, and IT audits are increasing in complexity and cost.
More informationEverything You Wanted to Know about DISA STIGs but were Afraid to Ask
Everything You Wanted to Know about DISA STIGs but were Afraid to Ask An EiQ Networks White Paper 2015 EiQ Networks, Inc. All Rights Reserved. EiQ, the EiQ logo, the SOCVue logo, SecureVue, ThreatVue,
More informationU.S. Department of Energy Office of Inspector General Office of Audits and Inspections
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report The Department's Configuration Management of Non-Financial Systems OAS-M-12-02 February 2012 Department
More informationMANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY
MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More informationStatus Update. Jon Baker September 28, 2010
Status Update Jon Baker September 28, 2010 HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS). OVAL Overview An international, information security, community standard to promote
More informationGoals. Understanding security testing
Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3
More informationPresented by Brian Woodward
Presented by Brian Woodward Log in with least amount of privileges Always use Firewall and AV Monitor channels for security advisories and alerts Know your system(s) Unpatched Systems are the lowest of
More informationD. Best Practices D.2. Administration The 6 th A
Best Practices I&C School Prof. P. Janson September 2014 D. Best Practices D.2. Administration The 6 th A 1 of 26 The previous section described how to improve IT security through use of better development
More informationRequirements For Computer Security
Requirements For Computer Security FTA/IRS Safeguards Symposium & FTA/IRS Computer Security Conference April 2, 2008 St. Louis 1 Agenda Security Framework Safeguards IT Security Review Process Preparing
More informationU.S. CONSUMER PRODUCT SAFTEY COMMISSION OFFICE OF INSPECTOR GENERAL FY 2015 FEDERAL INFORMATION SECURITY MANAGEMENT ACT REVIEW REPORT
U.S. CONSUMER PRODUCT SAFTEY COMMISSION OFFICE OF INSPECTOR GENERAL FY 2015 FEDERAL INFORMATION SECURITY MANAGEMENT ACT REVIEW REPORT Issued: 12/8/2015 This report conveys the results of the OIG s review
More informationMark S. Orndorff Director, Mission Assurance and NetOps
Mark S. Orndorff Director, Mission Assurance and NetOps Sustaining US Global Leadership: Priorities for 21 st Century Defense Both state and non-state actors possess the capability and intent to conduct
More informationSecure Cloud Computing
Secure Cloud Computing Agenda Current Security Threat Landscape Over View: Cloud Security Overall Objective of Cloud Security Cloud Security Challenges/Concerns Cloud Security Requirements Strategy for
More informationVoIP Security Project: SCAP Applicability Work Group. www.isalliance.org
VoIP Security Project: SCAP Applicability Work Group Outline Introductions The Challenge Working Group Process Applicability of the SCAP Standards Future Needs Q&A Applicability Participants Chair of the
More informationSecurity Language for IT Acquisition Efforts CIO-IT Security-09-48
Security Language for IT Acquisition Efforts CIO-IT Security-09-48 Office of the Senior Agency Information Security Officer VERSION HISTORY/CHANGE RECORD Change Number Person Posting Change Change Reason
More information7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008
U.S. D EPARTMENT OF H OMELAND S ECURITY 7 Homeland Fiscal Year 2008 HOMELAND SECURITY GRANT PROGRAM ty Grant Program SUPPLEMENTAL RESOURCE: CYBER SECURITY GUIDANCE uidelines and Application Kit (October
More informationIntroduction to OVAL: A new language to determine the presence of software vulnerabilities
Introduction to OVAL: A new language to determine the presence of software vulnerabilities Matthew Wojcik / Tiffany Bergeron / Robert Roberge November 2003 The MITRE Corporation Table of Contents Introduction
More informationSecurity Coordination with IF-MAP
Security Coordination with IF-MAP Matt Webster, Lumeta 28 Sept 2010 Copyright 2010 Trusted Computing Group Agenda Threat Landscape and Federal Networks Recap of TNC Explanation of IF-MAP What is IF-MAP?
More informationOffice of Inspector General
Office of Inspector General DEPARTMENT OF HOMELAND SECURITY U.S. Department of Homeland Security Washington, DC 20528 Office of Inspector General Security Weaknesses Increase Risks to Critical DHS Databases
More informationINTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program
INTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program FINAL REPORT NO. OIG-12-037-A SEPTEMBER 27, 2012 U.S. Department of Commerce Office
More informationMission Assurance and Security Services
Mission Assurance and Security Services Dan Galik, Chief Federation of Tax Administrators Computer Security Officer Conference March 2007 Security, privacy and emergency preparedness issues are front page
More informationNOTICE: This publication is available at: http://www.nws.noaa.gov/directives/.
Department of Commerce National Oceanic & Atmospheric Administration National Weather Service NATIONAL WEATHER SERVICE INSTRUCTION 60-703 23 April 2013 Information Technology IT Security VULNERABILITY
More informationFedRAMP Standard Contract Language
FedRAMP Standard Contract Language FedRAMP has developed a security contract clause template to assist federal agencies in procuring cloud-based services. This template should be reviewed by a Federal
More informationWelcome to Modulo Risk Manager Next Generation. Solutions for GRC
Welcome to Modulo Risk Manager Next Generation Solutions for GRC THE COMPLETE SOLUTION FOR GRC MANAGEMENT GRC MANAGEMENT AUTOMATION EASILY IDENTIFY AND ADDRESS RISK AND COMPLIANCE GAPS INTEGRATED GRC SOLUTIONS
More informationHow I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security
How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security PART 1 - COMPLIANCE STANDARDS PART 2 SECURITY IMPACT THEMES BUILD A MODEL THEMES MONITOR FOR FAILURE THEMES DEMONSTRATE
More informationImplications of Security and Accreditation for 4DWX (Information Assurance) By Scott Halvorson Forecasters Training 26 February 2009
Implications of Security and Accreditation for 4DWX (Information Assurance) By Scott Halvorson Forecasters Training 26 February 2009 Users If I [user] am doing my job, then they [DOIM] are not doing theirs!
More informationHow To Audit The Mint'S Information Technology
Audit Report OIG-05-040 INFORMATION TECHNOLOGY: Mint s Computer Security Incident Response Capability Needs Improvement July 13, 2005 Office of Inspector General Department of the Treasury Contents Audit
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationFREQUENTLY ASKED QUESTIONS
FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication
More informationWHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK
WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...
More informationVulnerability Scanning Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014
Vulnerability Scanning Requirements and Process Clarification Disposition and FAQ 11/27/2014 Table of Contents 1. Vulnerability Scanning Requirements and Process Clarification Disposition... 3 2. Vulnerability
More informationOpen Vulnerability and Assessment Language (OVAL ) Validation Program Test Requirements (DRAFT)
NIST Interagency Report 7669(Draft) Open Vulnerability and Assessment Language (OVAL ) Validation Program Test Requirements (DRAFT) John Banghart Stephen Quinn David Waltermire NIST Interagency Report
More information6. Exercise: Writing Security Advisories
CERT Exercises Toolset 49 49 6. Exercise: Writing Security Advisories Main Objective Targeted Audience Total Duration Time Schedule Frequency The objective of the exercise is to provide a practical overview
More informationSECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES
REQUIREMENT 6.1 TO 6.2 SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES 6.1 TO 6.2 OVERVIEW In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, [company
More informationAppSentry Application and Database Security Auditing
AppSentry Application and Database Security Auditing May 2014 Stephen Kost Chief Technology Officer Integrigy Corporation About Integrigy ERP Applications Oracle E-Business Suite Databases Oracle and Microsoft
More informationThe Fundamental Difference Between SIEM & Log Management Solutions: State vs. Event Data
The Fundamental Difference Between SIEM & Log Management Solutions: State vs. Event Data An EiQ Networks White Paper The Fundamental Difference Between SIEM & Log Management Solutions: State vs. Event
More informationReport: Symantec Solutions for Federal Government: CyberScope
CyberScope and Tighter Cybersecurity y Reporting Requirements: Are You Ready? Report: Symantec Solutions for Federal Government: CyberScope CyberScope and Tighter Cybersecurity y Reporting Requirements:
More informationIntro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe
Intro to QualysGuard IT Risk & Asset Management Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe A Unified and Continuous View of ICT Security, Risks and Compliance
More informationAccess FedVTE online at: fedvte.usalearning.gov
FALL 2015 Access FedVTE online at: fedvte.usalearning.gov If you need any assistance please contact the FedVTE Help Desk her e or email the Help Desk at support@usalearning.net. To speak with a Help Desk
More informationIn Brief. Smithsonian Institution Office of the Inspector General
In Brief Smithsonian Institution Office of the Inspector General Smithsonian Institution Network Infrastructure (SINet) Report Number A-09-01, September 30, 2009 Why We Did This Audit Under the Federal
More informationStrategic Plan On-Demand Services April 2, 2015
Strategic Plan On-Demand Services April 2, 2015 1 GDCS eliminates the fears and delays that accompany trying to run an organization in an unsecured environment, and ensures that our customers focus on
More informationNATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL
NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION S COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)
More information