acr 2 solutions, inc. simplifying information security compliance may 2009
TRANSCRIPT
![Page 1: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/1.jpg)
ACR 2 Solutions, Inc.Simplifying Information Security
Compliance
May 2009
Save tremendous resources and time
with Automated
Risk Assessment
s
Risk Reporter Family
![Page 2: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/2.jpg)
About ACR 2 Solutions
We are a developer of enterprise level real-time risk management software
Simple, elegant, easy to use compliance solutions.
Tools to support regulatory laws and regulations such as: FISMA, GLBA, HIPAA, NAIC, NERC and PCI DSS.
Risk and Compliance solutions for public, private, and government organizations.
Risk and Compliance solutions that lower the total cost of (Information Security) Compliance (TCC).
![Page 3: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/3.jpg)
Risk Reporter Overview
What is Risk Reporter ? Why do I need it? How does it work? Where can I see it or try it? Where can I get more information?
![Page 4: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/4.jpg)
Risk Reporter Overview
What is Risk Reporter ? Why do I need it? How does it work? Where can I see it or try it? Where can I get more information?
![Page 5: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/5.jpg)
What is Risk Reporter ?Risk Reporter family of “near real-time”
automated risk assessments for companies wanting to implement “best practices”
compliance or regulated under:
FISMA – Federal Information Security Management ActGLBA – Graham Leach Bliley ActNAIC – National Assoc. of Insurance CommissionersHIPAA – Health Info. Portability and Accountability ActPCI-DSS – Payment Card Ind. - Digital Security Standard
All of the above regulations will soon have to support continuous monitoring of risk as required by
NIST 800-39
![Page 6: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/6.jpg)
Risk Reporter Overview
What is Risk Reporter ? Why do I need it? How does it work? Where can I see it or try it? Where can I get more information?
![Page 7: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/7.jpg)
Why AutomateRisk Assessments?
PARTIAL DISPLAY OF ALMOST CURRENT DOCUMENTS
NIST AND FIPS REFERENCED DOCUMENTS
![Page 8: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/8.jpg)
Definitions of TermsRelationships of terms
Threat Agent
Threat
Vulnerability
Risk
Safeguard
Exposure
Asset
Gives rise to
Exploits
Leads to
Can Damage
And cause an
Can be counter-measured by a
Directly Effects
![Page 9: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/9.jpg)
Definitions of Terms
Technical Terminology UTM’s – Unified Threat Management devices
Firewall with Secure Access, IPS, AV, logging and others
IPS/IDS – Intrusion Detection/ Intrusion Prevention SystemThese system monitor the attempted or real access of
the networkSCAP – Security Content Automation Program
A Department of Homeland Security initiative to standardize results
SCAP validated Vulnerability ScannerNetwork vulnerability scanners that have
passed the test
![Page 10: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/10.jpg)
Risk Reporter Overview
What is Risk Reporter ? Why do I need it? How does it work? Where can I see it or try it? Where can I get more information?
![Page 11: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/11.jpg)
Three types of input to Risk Assessment1. Management Data2. Policy Data3. Technical Controls
This is the most difficult to answer – 600+ or more..
SCAP Vulnerability ScannersUTM / IPS / Firewall Syslog
Generate the Compliance ReportsUse the ‘Gap’ report to prioritize remediation and put safeguards in place
How does it work?
![Page 12: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/12.jpg)
And on and on and on..
Daily Upload of SCAP Validated Network Scan
Daily Upload of Fortinet IPS Data
Input Any Policy Updates, Revisions
or Changes
Request andObtain 800-30 Risk Report
![Page 13: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/13.jpg)
H. R. 2458 (FISMA)§ 3544. Federal agency responsibilities (a) …The head of each agency shall... (2) ensure that senior agency officials
provide information security ... through— (A) assessing the risk (B) determining the...information security
appropriate (C) implementing policies and procedures... (D) periodically testing...security controls
Risk Reporter
![Page 14: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/14.jpg)
How is a FISMA compliant risk assessment done?
FISMA risk assessment procedures are in NIST special publication 800-30.
NIST protocols are binding on agencies one year after publication. 800-30 was published in 2002. An update is expected in July of 2008.
FISMA and NIST Protocols
![Page 15: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/15.jpg)
What is Risk?
“Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence” (NIST 800-30, p1).
![Page 16: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/16.jpg)
Vulnerability and Risk
Vulnerability assessment is a part of Risk Assessment. Probability and impact must also be considered. Vulnerability assessment alone cannot meet the FISMA requirements for Risk Assessment.
![Page 17: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/17.jpg)
"Organizations should keep in mind that a CVSS score only assesses the relative severity of a vulnerability when compared to other vulnerabilities, and does not take into account any security controls that might mitigate exploitation attempts…” (NISTIR 7435, p 22)
Vulnerability Scanning
![Page 18: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/18.jpg)
Vulnerability vs. RiskThe NIST 800-30 definition of probability of risk
(page 21) defines probability of risk as follows;
High - The threat-source is highly motivated and
sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.
![Page 19: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/19.jpg)
Automated Risk Management Using Risk Reporter.
Required Steps For an NIST Risk Assessment
Step 1 System Characterization (Section 3.1) Step 2 Threat Identification (Section 3.2)Step 3 Vulnerability Identification (Section 3.3)Step 4 Control Analysis (Section 3.4)Step 5 Likelihood Determination (Section 3.5)Step 6 Impact Analysis (Section 3.6)Step 7 Risk Determination (Section 3.7)Step 8 Control Recommendations (Section 3.8)Step 9 Results Documentation (Section 3.9)
(NIST 800-30, p8)
![Page 20: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/20.jpg)
3.1 System Characterization
Questionnaires, document review and automated scanning tools (800-30, p12).
3.1 Risk Reporter System Characterization
SCAP validated scanner Secutor Magnus is available as a bundle w/ Risk Reporter but we support most scanners.
Risk Reporter includes an extensive policy questionnaire keyed to ALL of the NIST minimum safeguards.
![Page 21: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/21.jpg)
Risk Reporter Scan
![Page 22: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/22.jpg)
Risk Reporter Questions
![Page 23: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/23.jpg)
Natural threats, human threats and environmental threats (800-30, p13).
Microsoft’s classification of threats (1999) Natural DisastersHuman ErrorMalicious Insiders and Malicious Outsiders.
3.2 Threat Identification
![Page 24: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/24.jpg)
Security Threats
![Page 25: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/25.jpg)
3.3 Vulnerability SourcesNational Vulnerability Database (NVD),
superseded the I-CAT database (800-30, p16).
More than 36,000 VulnerabilitiesIncorporated into the Risk Reporter SCAP
validated scanner. Areas of Vulnerability in management,
operations and technical areas all need to be considered (800-30, p18).
![Page 26: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/26.jpg)
Vulnerability Sources Arise From:
Management Procedure implementation and Internal controls
Operational Data acquisition, Data storage, Data retrieval, Data modification and Data transmission
3.3 Vulnerability Sources
![Page 27: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/27.jpg)
Vulnerability Sources also Arise From:Technical
System design Environmental
Wind, Fire, Flood, Power loss and Vehicle collision
3.3 Vulnerability Sources
![Page 28: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/28.jpg)
The 800-30 process was dramatically simplified by the 2005 publication of 800-53, “Recommended Security Controls for Federal Systems.”
3.4 Controls Analysis
![Page 29: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/29.jpg)
The frequently updated 800-53 list, in conjunction with the SCAP validated scan engine, is the basis for much of the Automated Risk Management program from the ACR process.
Two key elements in control analysis are anti-virus protection and intrusion protection. Both are highly important precautions provided by Fortinet.
3.4 Controls Analysis
![Page 30: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/30.jpg)
For an 800-30 risk assessment, likelihood has a specific legal meaning:
High - The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.
Medium - The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.
3.5 Likelihood Determination
![Page 31: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/31.jpg)
Low - The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.
Since 2004, cybercrime has exceeded illegal drugs as the #1 criminal enterprise
Threat-source capability may be assumed.
3.5 Likelihood Determination
![Page 32: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/32.jpg)
Map Controls to Vulnerabilities
List all of the safeguards of NIST 800-53. Map safeguards to the four threat sources
(Environmental, Human Error, Malicious Insider and Malicious Outsider) by inspection.
Map safeguards to subsections within each threat source.
3.5 Likelihood Determination
![Page 33: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/33.jpg)
3.5 Likelihood Determination
Although 800-30 allows the option of higher levels of granularity, Risk Reporter has kept the recommended settings of Low, Medium and High.
NIST 800-39 is the “flagship document” of the NIST 800 series of FISMA compliance guidance documents. Page 1 notes that “Managing risk is not an exact science.”
![Page 34: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/34.jpg)
Impact levels under 800-30 have very specific definitions.
High - Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury.
3.6 Impact Analysis
![Page 35: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/35.jpg)
Medium - Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury.
Low - Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest.
3.6 Impact Analysis
![Page 36: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/36.jpg)
The calculation of impact levels also maps to 800-53 safeguards in a fairly obvious fashion.
For example, a system that does not meet the requirements of safeguard CP-9 (Information System Backup) will be much more impacted by Fire than a system which is compliant with CP-9 and has a well written contingency plan (CP-2) that includes training (CP-3) and testing (CP-4).
3.6 Impact Analysis Example
![Page 37: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/37.jpg)
The calculation algorithm for the risk assessment is given on page 25 of 800-30. Low, Medium, and High likelihoods of adverse events are scored at 0.1, 0.5 or 1.0, respectively.
In the same manner, Low, Medium, and High impacts are scored at 10, 50 and 100 respectively.
By multiplying the likelihood score and the impact
score, a risk score from 1 (low) to 100 (high) is calculated.
3.7 Risk Determination
![Page 38: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/38.jpg)
The Risk Reporter Gap Analysis report gives a mapping of the featured safeguards which are missing, against the identified risks in order of impact. This report may be used to prioritize changes in safeguards.
3.8 Control Recommendations
![Page 39: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/39.jpg)
3.8 Control Recommendations
![Page 40: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/40.jpg)
Upon completion of the Automated Risk Management program from the Risk Reporter risk assessment, the initial set of data will produce two reports, a “Baseline Report” showing the risk scores ordered by threat source and a “Risk Assessment Chart.”
Samples are shown on the next slide
3.9 Results Documentation
![Page 41: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/41.jpg)
Reports
![Page 42: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/42.jpg)
Reports
![Page 43: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/43.jpg)
Reports
![Page 44: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/44.jpg)
Gap Report
![Page 45: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/45.jpg)
FISMA Compliance Report
![Page 46: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/46.jpg)
Enterprise
![Page 47: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/47.jpg)
Risk Reporter
1.What is it?2.Why do my customers want it?3.How does it work?4.Where can I see it?5.Who has more information?
![Page 48: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/48.jpg)
How can I try it ?
Free Demo Kits with licenses
Government Technology Solutions800-326-5683 [email protected]
![Page 49: ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649ce15503460f949ac478/html5/thumbnails/49.jpg)
Thanks for your attendance
One DC agency just did one of these assessments manually.
They want this automation software!