compliance security - cyber security summit€¦ · cyber security summit | october 23-25, 2017 |...
Post on 25-Aug-2020
10 Views
Preview:
TRANSCRIPT
Compliance ≠ Security
(But, we’re getting closer) Rich Banta, Co-Owner & CISO, Lifeline Data Centers, LLC
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
• FedRAMP-Ready • HITRUST CSF
Certified • PCI DSS AoC/RoC • SOC2 • IRS-1075
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Rich Banta • CISSP• CCSP• CISA• CRISC• CFCP• CDCDP• CTIA• CTDC
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Compliance ≠ Security WhydoesCompliance≠Security?
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Compliance ≠ Security WhydoesCompliance≠Security?• ComplianceisChecklist-Based
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Compliance ≠ Security WhydoesCompliance≠Security?• ComplianceisChecklist-Based• CompliancedependsonAudits
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Compliance ≠ Security WhydoesCompliance≠Security?• ComplianceisChecklist-Based• CompliancedependsonAudits• AuditsassessapointinAme
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Compliance ≠ Security Whateffortsarebeingmadetoaddressthepoint-in-Ameshortcoming?
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Compliance ≠ Security Whateffortsarebeingmadetoaddressthepoint-in-Ameshortcoming?• CMP:ConAnuousMonitoringProgram
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Compliance ≠ Security CMP:FedRAMP’sapproachtoConAnuousMonitoring
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Compliance ≠ Security TheFedRAMPModerateBaselinecontains326controls*.*AndanaddiAonal~70controlenhancements
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Compliance ≠ Security TheFedRAMPCMPcallsforconAnuousongoingmonitoringandreporAngon58ofthe326controls.
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Compliance ≠ Security NIST800-53R4ControlRA-5:• VulnerabilityScanning
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Compliance ≠ Security NIST800-53R4ControlRA-5:• VulnerabilityScanning– RA-5a:OS/infrastructure/webapplicaAon/databasescans– ScanresultsmustbesubmiYedinFedRAMP-specificdashboardformat
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Compliance ≠ Security NIST800-53R4ControlRA-5:• VulnerabilityScanning– RA-5d:ProvidearAfactstoISSOshowinghigh-riskvulnerabiliAeshavebeenmiAgatedin30daysandmoderaterisk-vulnerabiliAeswithin90days
– POA&M
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Compliance ≠ Security NIST800-53R4ControlCM-7(1)a:• LeastFuncAonality– IdenAfyandeliminateunnecessaryfuncAons,ports,protocols,and/orservices
– PPSM(Ports,Protocols,andServicesManagement)
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Compliance ≠ Security NIST800-53R4ControlCM-8(3)a:• InformaAonSystemComponentInventory– AutomateddetecAonofnewassets– ReportssubmiYedmonthly– Vulnerabilityscanmust=Inventoryscan=PPSM=NAC,etc.
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Compliance ≠ Security Lifelinehasnointernalwirelessnetworks.
(ThisincludestheDMZ)
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Compliance ≠ Security ThisprecludeshavinganIoT,orInternetofThings
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Compliance ≠ Security ThisprecludeshavinganIoT,orInternetofThingsIdiocy
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Compliance ≠ Security ThisprecludeshavinganIoT,orInternetofThings
Compliance ≠ Security
(But, we’re getting closer)
Questions? Comments? Rich Banta, Co-Owner & CISO, Lifeline Data Centers, LLC
Thank you for your time and interest! Rich Banta, Co-Owner & CISO, Lifeline Data Centers, LLC
top related